Affiliate Marketing and PCI DSS Compliance

CIOReviewIndia Team | Saturday, 17 October 2020, 06:17 IST

Affiliate Marketing and PCI DSS ComplianceIn 2019, more than 3.2 million fraud cases were reported to the Federal Trade Commission. With there being these many cases of fraud, customers are beginning to be conscious of the companies they trust with their personal data, especially debit and credit card data. If a customer fears that their data will not be safe with your business, the chances are that they won't transact with you.

Credit card fraud can lead to a bevy of issues, from identity theft to the loss of finances. No one wants to be on the wrong side of credit card fraud. Also, as a merchant, if card processing companies feel that your business risks the data of your customers, you could end up losing your account with them.

Sadly, most payment processors consider affiliate marketing merchants as high-risk account holders. While there are many processors who support can support you, most require you to take a few steps to ensure your customers' credit card data is safe from threat actors. One of the best ways to improve the safety of the data is through PCI DSS compliance.

Here is what you should know about fraud risks that come with holding affiliate marketing merchant accounts with payment processor and how PCI DSS can alleviate the risk:

Why Affiliate Marketing Merchants Are Considered Risky

The fact that the affiliate marketing model adds an intermediary between you, the merchant, and your payment processor makes interacting with affiliate marketing merchants risky to payment processors. Ideally, businesses that use affiliate marketing are bound to have more chargebacks than other businesses. Since your business will rely on affiliates to run your marketing campaign to some extent, you have less control over how affiliates portray your product to the customer.

Customers who receive a product that is significantly different from the way it was marketed will most likely cause chargebacks. The more chargebacks your company receives, the higher the chances of being blacklisted by payment processors or losing your merchant account with them. Even worse, the fact that mobile technology has a significant role to play in how payments are made increases the rates of credit card fraud exponentially.

How to Keep Chargeback Rates Low

Affiliate marketing is an inviting marketing model due to how budget-friendly it is. Your company will have to invest less in marketing while the affiliates do a good chunk of the heavy lifting. As sales rise, they will receive a commission. However, high chargeback rates can eat into the profits made by choosing this marketing model. There are two main ways to prevent high chargeback rates:

  • Train Affiliates Correctly

    Customers who receive products that don't meet the description given earlier will most likely launch chargebacks that claim that the product was ''not as described''. This is a telltale sign that your affiliates might be using switch-and-bait techniques or misleading testimonials to get customers to make a purchase. While these techniques do increase sales, the resulting chargebacks tend to have a negative impact on the business. Other than lowering credibility and customer trust, they increase the risk of losing your accounts with your payment processor.

    The best way forward is to assess how your affiliates are marketing your products and services and identify those offering misleading information. Taking such affiliates through some form of marketing guideline could help improve how they are marketing your brand. If necessary, you can also end the relationship with non-compliant affiliates to save your payment processing accounts.

  • Get Serious With Data Security

    If you establish that the chargebacks are arising from increasing cases of fraud, you need to take a good look at your data security measures. The good thing is that there are numerous tools out there that can help you keep fraud cases low. Customers trust you with their card data- it makes sense to protect it.

    Don’t worry- you don't have to choose the ideal tools for data protection blindly. There are numerous data security standards that you can use as a blueprint for choosing the ideal tools. One of the best standards to use would be the PCI DSS. Complying with this standard is more of a necessity than a luxury for any business that accepts card payments. Here is what you should know about PCI DSS compliance:

What Is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards created by the top 5 credit card providers. Its main aim is to improve the protection of cardholder data and keep fraud cases low. Any business that deals with cardholder data, whether it shares it, stores it, or simply collects it, should be compliant.

Every merchant is supposed to assess their compliance annually. There are different compliance levels under the PCI DSS, and the level you belong to will depend on the volume of card transactions you handle annually. Merchants with small volumes of transactions can are allowed to self-assess their compliance.

Under federal law, PCI compliance isn't necessary, but there are states that make compliance a necessity for any business operating within state borders. Regardless, compliance can be beneficial in a variety of ways.

How Will You Benefit From Compliance?

The biggest benefit of being PCI compliant is that it improves your data security posture. By following the standard's requirements, you will reduce the chances of your business being involved in fraud or cardholder data theft. Concurrently, customers will trust your business more.

The fact that they recognize that you are compliant means that there are reduced chances of their data falling in threat actors' hands. Even better, you open your business to interacting with more businesses. Some businesses will be wary of working with non-compliant merchants. Lastly, being compliant makes payment processor see you as a low-risk client, even though you have affiliate marketing ties.

The Levels of PCI DSS Compliance

PCI compliance is divided into four levels, which classify businesses depending on their annuals card transaction volumes. The more transactions a merchant handles each year, the higher their cost of compliance will be. The four levels of PCI compliance include:

  • Level 1: all merchants that process above six million annual card transactions belong to the group. If a merchant gets breached, they will automatically fall into this, regardless of their annual card transaction volumes.
  • Level 2: all merchants who process anywhere between 1 and 6 million annual card transactions will fall into this group.
  • Level 3: merchants who process 20,000 to 1 million card transactions will fall into this group.
  • Level 4: merchants that process less than 20,000 annual card transaction falls into this group.

The process of compliance validation also depends on the level of compliance you fall. If you fall in levels 2, 3, or 4, you are required to demonstrate compliance annually through a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ). Level-1 merchants are required to validate their compliance through the help of a qualified Quality Security Assessor (QSA).

Compliance will call for you establishing, monitoring, and maintaining a PCI DSS program. This will include implementing the appropriate business processes, policies, and technologies that ensure your ongoing compliance and the protection of payment card data. Ideally, you will need to meet the 12 requirements of PCI DSS.

The 12 PCI DSS Objectives

For you to be PCI compliant, you need to comply with 12 main requirements and 220 sub-requirements. The sub-requirements can easily be met by meeting the main requirements. In fact, complying with these requirements could make complying with other regulations and security standards easy. Here are the 12 requirements you need to meet:

  1. Protect stored data
  2. Install a firewall and maintain it to improve data protection
  3. Encrypt the transmission of sensitive information and cardholder data across public networks
  4. Avoid using vendor-supplied defaults for security parameter and system passwords
  5. Use regularly-updated anti-virus software
  6. Assign every person with network and computer access a unique ID
  7. Establish data access policies that restrict access to a need-to-know basis
  8. Develop, monitor, and maintain secure applications and systems
  9. Control the physical access to cardholder data
  10. Track security systems and processes regularly
  11. Monitor and track access to cardholder data and network resources
  12. Establish and maintain information security policies

The Compliance of Third Party Service Providers Is Essential

While your compliance is essential, working with non-compliant third-party service providers could expose you to huge security loopholes. For instance, if you store your cardholder data with a non-compliant cloud provider, there is a chance they could get breached. Your business will still be legally liable for the breach. As a business with affiliate marketing interests, working with affiliate marketplaces like Clickbank, which is PCI compliant, is an ideal choice.

When vetting third-party partners to work with, ensure that they are PCI compliant as long as they come into contact with cardholder data. You can start by sharing the data security policies they need to meet. Of course, this will requires you to identify the requirements that apply to their situation.

Your interest in their compliance should not end once you start engaging with them. You should constantly assess their compliance status to ensure that they keep protecting your cardholders' data. Remember, it only takes one slight mistake to find yourself on the wrong side of a data breach. In case there are new updates to the regulation, ensure that your third-party service providers implement them too.

The Cost of Non-Compliance

Even without focusing on the risk posed by a data breach, non-compliance comes with a variety of risks. First of all, it makes your business less inviting to customers and investors who are security-conscious. To them, the fact that you are non-compliant exposes them to huge risks.

Non-compliance can also see you receive fines of anywhere between $5,000 and $100,000 each month. If a data breach occurs, maintaining compliance will be more expensive since you will have to comply with level 1 requirements.

Data breaches also reduce customer trust and increase churn rates. Some of the affected customers could easily sue you for mishandling their data, which introduces your business to legal and compensatory costs. You might also have to pay for forensic investigations to assess the data breach.

Avoid Storing Data Unnecessarily

The fact that you are storing cardholder data exposes you to the risk of a data breach. If you do not need the data, avoid storing it. This applies to instances where customers only made one-time transactions with your business. If the customer is making recurring transactions, encrypt the data.

Data encryption ensures that the data will be inaccessible to anyone who doesn't have the access key. The data becomes useless to anyone who isn't authorized to access it.

Pick the Right Payment Processing Providers

A good number of payment processors will shy away from working with you since you have ties to affiliate marketing. While some shy away from the inherent risk, there are many more can support your business. In fact, some have policies and procedures in place that will prevent chargebacks for their clients. Take time to assess the different processors to pick one who will support your business accordingly.

PCI Compliance Should Only Be a Security Add-On

It might be unwise to rely on the PCI DSS to provide security for your business solely. As much as it looks to reduce data breaches, it isn't the perfect data security standard. First of all, PCI DSS is a generalized standard, which means that it might not cater to security issues that are unique to your business or industry.

Also, the rate at which the standard gets updated is much slower than the rate at which new threats emerge. Threat actors are always looking for new ways to take advantage of unsecured businesses.

The trick is to be compliant with PCI DSS and implement other essential security measures. Ideally, you need to assess your business' risk landscape to identify new and current threats. The earlier you can implement risk-mitigation controls, the more secure your business will be.

The main aim of PCI DSS compliance is to ensure that all parties are happy- customers and investors will appreciate your data protection measures, and your business will be protected from the consequences of a data breach. The fact that you run a business that's considered risky by payment processors makes compliance even more essential. Work on your business'' compliance to protect it and your customers.

Author Bio:

Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company's go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.

Don't Miss ( 1-5 of 25 )