Under the Payment Card Industry Data Security Standard (PCI DSS), a merchant is defined as any entity that accepts payment cards for goods or services. This means that manufacturers are considered merchants – whether they’re selling directly to the end user, to a distribution network, or to a third-party reseller. As a result, they need to meet all the requirements of the PCI DSS – a task that can be easier said than done.
What Manufacturers Need to Know about PCI-Compliant Payment Processing
At a high level, manufacturers are responsible for securing every part of their infrastructure that processes, stores, or transmits credit card data. The PCI DSS breaks this down into six main “focus areas” with several corresponding requirements for each.
Full details for each individual compliance requirement can be found here.
These requirements apply to any environment where the manufacturer processes payments. For instance, if they take orders online through a distributor portal, the checkout page and web server must be compliant; if they also take orders over the phone, they need their phone systems and virtual terminals to be compliant as well.
This can be a full-time undertaking for large manufacturers with enterprise-level IT, security, and compliance teams. For smaller and mid-size manufacturers? It can require more resources than they have available – making it difficult, if not impossible, to stay compliant.
Manufacturing Payment Solutions
One way manufacturers can manage the burden of PCI compliance without allocating multiple full-time resources to the effort? Implementing a payment solution that intentionally reduces or eliminates the parts of their network (i.e., their telephone systems or their online checkout page) that touch payment data. This is called “scope reduction”.
PCI allows merchants to rely on third-party service providers to store, process, or transmit cardholder data on their behalf. When a PCI-validated payment system bypasses the manufacturer’s own infrastructure – instead passing payment data directly to the authorization network –the manufacturer can then exclude that part of their infrastructure from their annual self-assessment questionnaire, or SAQ. (Note that this applies to merchants who process fewer than 6 million transactions per year. High-volume merchants will need to go through a more robust third-party compliance audit.)
Integration with other business systems, however, can make this effort more complex. Manufacturers who use ERP systems or order entry software to manage their transactions often want to add the payment processing function to their current applications. This, however, requires a more strategic approach to remain PCI-compliant. For instance, entering credit card numbers directly into their ERP can put that system – and every part of their infrastructure that touches that system – in scope for PCI compliance. The same is true for keeping cards on file in that ERP if those card numbers aren’t tokenized.
To make this process easier, many ERP systems have built integrated payment functionality into their base platforms. Others don’t have an out-of-the-box credit card processing solution, but can integrate with compatible payment platforms through APIs. While this does involve a bit of programming effort up front, it typically produces a faster, more efficient transaction flow in the long run.
Discover Curbstone’s Payment Services for the Manufacturing Industry
With deep experience in the manufacturing industry, Curbstone’s payment solutions can reduce the number of places your system touches credit card data. If you’re using an ERP system like Infor, Iptor, or HarrisData, you can benefit from RPG-native APIs that allow for fast and efficient integration – not to mention the expertise of a team that’s helped many manufacturers add payments to their order entry process while reducing their PCI scope.
We know compliance can be challenging to sort out, which is why we’re here at every step of the way. From planning your implementation to long-term support and fee optimization, we’ll guide you through the process so you can focus on what it is you do best: running your business. To see what payment solutions can best support your PCI compliance efforts, contact us today.
