A couple of months ago I attended a meeting at a privately held multibillion dollar company with the CFO and his direct reports. As we walked through our presentation on Payment Cycle Management, the discussion turned to payments and whether or not they accepted credit card payments from their business customers. One of the CFO’s direct reports stated that they did, and that it represented about $100 million dollars’ worth of electronic payments. The other electronic payments came from EDI and ACH.
I asked them about Payment Card Industry compliance standards (also called PCI compliance) for the credit cards, as well as whether they offered Level 2 and 3 processing data back to the credit card processors. The direct report assured me that they were looking into addressing both of these issues, and that he was confident that there was minimal to no risk to their business.
Apparently, the CFO was uncomfortable with the explanation from his direct report and asked the team in the room to walk him through the process of accepting credit cards. What happened next surprised everyone in the room as we learned truly how cards were processed. The process this organization used was as follows: (1) when someone called in to make a credit card payment they wrote down their credit card information, number, expiration date and CV code. (2) Next, they entered that into a system for payment. (3) The CSR rep then filed that piece of paper in a folder in her unsecured desk in case the customer called in again to make another payment, then she would not need to ask them again for their number.
The CFO looked in stunned disbelief, excused himself from the meeting and walked into the General Counsel’s office across from the conference room to share the potential exposure that their business might have with him. As you can imagine the discussion on how our Quantum Payment Bundle could help them with PCI compliance accelerated very quickly after those findings came to light.
I would like to be able to say that this situation is an isolated incident but it’s not. I have talked to executives at many companies who believe that they are in compliance, but later find out that they are not. As one of the executives I have worked with at a large manufacturing customer told me, “We are in the business of making things not managing compliance issues. Billtrust is the expert in this.”
Like high blood pressure or cholesterol, not knowing if you are in PCI compliance can be a risk to the health of your business.
Article By Kirk Dauksavage, Chief Revenue Officer at Billtrust.
Want to know the future DNA of CFOs? Download the white paper.