There are many double standards that exist in the payments industry. The landscape is littered with conflictions laid out from Security Standards Council(PCI), Card brands(Visa, MasterCard, American Express) and the sponsor banks. Companies like Square that have received investment directly from Visa benefit from bias rules created to manage an industry they are often competing against.
PCI compliance has a double standard for Payment Facilitators or PayFacs compared to traditional acquirers. A sub-merchant processing with a Payfac often removes themselves from the cost and obligations of having to complete quarterly Self-Assessment Questionnaires (SAQ) or involve a 3rd party auditor like Trustwave, CoalFire or Security Metrics. According to Stripe, larger organizations shift from thousands of hours of compliance work to 2-5 days of effort; smaller organizations save hundreds of hours of work.
Our belief is that the logic behind these double standards is that a merchant-of-record carries the liability and compliance responsibility in an ecosystem that is all the same. The reality is that merchants, even processing with a Payfac may not have the same application and payments footprint. PCI compliance has legitimately become a more important issue for merchants, issuers and acquirers with high profile breaches including Target, Home Depot and Wawa. However, acquirers charging monthly PCI compliance or a monthly PCI non-compliance fees of $20-$40 per month are exactly the underhanded pricing strategies that have driven so many clients to PayFacs with a true flat rate pricing model. Compliance is vital to every merchant and provider, making sure they are following proper procedure and protocols. Whether you are an ISV, registered PayFac or Merchant it is important to understand your options and the implications of those choices.