PCI Compliance

Understanding Billing and Payments Security

What you need to know about accepting bill payments while maintaining compliance with PCI and other security standards

What is billing and payments security and compliance?

Presenting bills and processing payments securely requires compliance with technical and operational standards to protect consumer data and privacy, as well as ensuring equity and fairness in billing practices.


Why should you care about billing and payments security and compliance?

Maintaining compliance with the payment processing security standards that apply to your industry is critical for avoiding data security breaches, ensuring consumer trust and protecting your business’ reputation. In some cases, failure to comply with security standards can lead to financial consequences and other penalties.


What do consumers think about billing and payments security?

With more and more consumers preferring to pay bills digitally, data and information security are increasingly important. The ACI Speedpay Trend Report reveals that consumer trust is at a high, with more than four in five consumers reporting that they are “somewhat or very confident” that their financial data is secure when paying bills. This confidence requires accountability and continued reinforcement of billing and payment security protocols, both to maintain positive consumer attitudes and to instill trust in those who are still unsure about the security of their payments data.

Download the ACI Speedpay Pulse Trend Report

Get the latest insights into how bill payments security is driving consumer attitudes and behaviors.


What are the major compliance standards billers should know about?

PCI-DSS (Payment Card Industry Data Security Standard) applies to any biller or merchant that accepts payments by card. It provides standards that guide how organizations should store payments card data.

CFPB (Consumer Financial Protection Bureau) is a government agency that develops guidelines and regulations to ensure consumers are treated fairly and consistently.

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that sets national standards for privacy, security and breach notifications.


What is PCI-DSS compliance?

PCI-DSS stands for Payment Card Industry Data Security Standard. It is a set of standards that helps ensure that all companies that accept credit card payments process, store and transmit card data securely. PCI-DSS is governed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body created by the leading payment card brands (Visa, Mastercard, American Express, Discover and JCB). To establish and maintain PCI compliance, organizations that accept bill payments via card must meet 12 operational and technical requirements set out by the PCI SSC.


What are the PCI-DSS requirements?

The 12 requirements of PCI compliance are determined by the PCI SSC to ensure that payment card data stays secure. They include both technical requirements and operational guidelines.

The 12 PCI-DSS requirements:

  • Install and maintain a firewall configuration
  • Do not use vendor-supplied defaults for passwords and other security features
  • Protect stored cardholder data
  • Protect data in transit by encrypting transmissions across open, public networks
  • Protect against malicious software and viruses
  • Develop and maintain secure systems
  • Restrict access to cardholder data
  • Authenticate access by giving each person with computer access a unique ID
  • Control physical access to cardholder data
  • Track and monitor access to cardholder data and network resources
  • Test security systems and processes
  • Maintain a security management policy for employees and contractors

What are the benefits of PCI compliance for organizations that accept bill payments via card?

PCI compliance reduces the risk of a data breach, protects customers, improves brand reputation and imparts a mindset of security.

Secure Payments and Solidify Consumer Trust

Learn more about the essential actions and insights needed to deliver world-class security.


What are the drawbacks of not being PCI compliant?

Failure to be PCI-DSS compliant can result in fines to the acquiring bank, which are usually passed on to the billing organization or merchant. For repeated violations, the card brands may revoke the biller or merchant’s ability to accept cards entirely. Any breach of consumer payment card data could result in a negative impact to your brand reputation, lost customers and financial consequences.


How can organizations ensure PCI-DSS compliance for bill payments?

Organizations that accept credit card bill payments can ensure PCI-DSS compliance by outsourcing their payment processing to an industry expert with a long track record of maintaining compliance, like ACI Worldwide. As PCI-DSS standards change over time, working with a company focused on payment processing and security can ensure billers maintain compliance while reducing the overall burden on the organization.


What is CFPB compliance?

The Consumer Financial Protection Bureau (CFPB) is a United States federal government agency that makes sure banks, lenders and other financial institutions treat consumers equitably and fairly. CFPB compliance standards apply to companies that provide financial services to consumers, including mortgages, consumer cards, lending and deposit accounts.


What are the requirements of CFPB compliance for mortgage and consumer lenders?

CFPB compliance standards vary by industry and generally cover credit reporting requirements, privacy notices, provision of equal credit opportunities and debt collection. Read more here.


What are the benefits of CFPB compliance?

CFPB compliance is essential to protect customers and ensure fairness and transparency for all consumers. Businesses and organizations that accept and process bill payments in industries covered by the CFPB — including mortgage and consumer finance lenders —  benefit from increased consumer trust and confidence, as well as avoiding potential financial and legal consequences of non-compliance.


What are the drawbacks of not being CFPB compliant?

If a billing organization in a regulated industry fails to meet CFPB standards, they risk negative press and its associated impact on brand reputation, along with civil financial penalties and the filing of consent orders which formally require a non-compliant organization to address any violations.


How can lenders ensure that their billing processes are CFPB compliant?

CFPB compliance is complex, encompassing numerous legal and regulatory factors that apply to bill presentation and payment. To reduce the burden of compliance, choose a bill presentation and payments partner that can ensure CFPB compliance. Experts that focus on maintaining CFPB compliance will be best able to keep up with the latest rules and policies.


What is HIPAA compliance?

The Health Insurance Portability and Accountability Act (HIPAA) generally prohibits healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent.

HIPAA rules and regulations fall under three main categories:

  • Privacy
  • Security
  • Breach notification

What are the requirements of HIPAA compliance for healthcare billers?

The HIPAA Privacy Rule is composed of national regulations for the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment and operations by covered entities. PHI is any information that is held by a covered entity regarding health status, provision of health care or health care payment that can be linked to any individual.  HIPAA was intended to make the health care system in the United States more efficient by standardizing health care transactions. HIPAA added a new Part C titled “Administrative Simplification” to Title XI of the Social Security Act. This is supposed to simplify healthcare transactions by requiring all health plans to engage in healthcare transactions in a standardized way, following the HIPAA Electronic Data Interchange (HIPAA/EDI) standards.

The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical and technical. For each of these types, the Rule identifies various security standards and for each standard, it names both required and addressable implementation specifications.


What are the benefits of HIPAA compliance for billers?

By complying with HIPAA, healthcare billers ensure the privacy and security of sensitive patient and health information.


What are the drawbacks of not being HIPAA compliant?

If healthcare billers fail to comply with HIPAA regulations, they face a loss of patient trust, damage to their brand reputation and financial penalties.


How can billers ensure HIPAA compliance?

Working with a HIPAA-compliant billing presentment and payments partner like ACI Worldwide, with experts that focus on maintaining HIPAA compliance, including keeping up with the latest rules, policies and security requirements, will ensure HIPAA compliance and reduce the burden of compliance on healthcare billers.


What other compliance standards apply to bill presentment and payments?

In addition to PCI-DSS, CFPB and HIPAA compliance, there are several other compliance standards that may apply to businesses and organizations that accept bill payments.

Bill presentment and payments security and compliance standards:

  • Sarbanes-Oxley (SOX) Act is a United States federal law that helps protect investors from fraudulent financial reporting.
  • NACHA Certified is a voluntary accreditation program that covers core practices and corporate governance for ACH payment processing.
  • Federal Financial Institutions Examination Council (FFIEC) is an interagency government body that works with other governmental agencies to supervise financial institutions.
  • Card Association Rules are set out by card issuers (Visa, Mastercard, American Express, etc.) and govern a variety of operations including cardholder data security standards.
  • Anti-Money Laundering and Bank Secrecy Act (AML/BSA) Certification is a program that administers an examination for adherence to standards applicable to regulated financial institutions and money service businesses.
  • Statement on Standards for Attestation Engagements 18 (SSAE18) provides data center compliance standards that apply to electronic bill presentment and payment.
  • Various federal and state regulations apply to billers in different industries and locations.

How can businesses securely accept and process omni-channel bill payments?

In order to securely accept and process bill payments across all channels, including mobile, ACH and other payment methods, it’s essential to partner with an experienced provider like ACI Worldwide, with the expertise to maintain compliance and security across all payments channels and methods.

Download the ACI Speedpay Pulse Trend Report

Get the latest insights into how bill payments security is driving consumer attitudes and behaviors