In this month’s Spotlight on section, we introduce you to CPRAS – the UK’s pre-eminent payment processing consultancy. They have designed and delivered Europe’s first Payment Services Framework to be available not just for governments, but for private sector enterprises as well. Government Offices and Businesses are benefitting from average savings of over 30% for their payment processing costs, but that’s not as important as getting the service package right – as Andrew Flavell, CPRAS’ Director of Partnerships, explains in this interview.
As a professional operating within the card payment industry, what would you say are the most typical issues that businesses in the UK face in terms of the payment processing services that they offer?
Every organisation wants to ensure that they are getting the best value for money possible. Until recently, we were only ever approached by organisations that wanted to cut their costs. This has changed dramatically in the last 12 months, and rightly so.
Now, with new legislation looming which will ultimately make PCI DSS compliance mandatory, most organisations want to know the best way to achieve and maintain compliance.
So what is PCI DSS?
PCI DSS has been a difficult issue for almost all organisations for over a decade now. The acronym stands for Payment Card Industry Data Security Standard, and it sets out the hardware, software and operating conditions that every organisation must follow if it wants to accept card payments. The Standard is extremely thorough and gaining and maintaining compliance can have big financial and HR requirements, but there will be huge fines for those that don’t comply, as well as potential suspension of service and other costs.
You talk about “huge fines”, but what are numbers behind the potential liabilities?
If a non-compliant organisation suffers a data breach, the fines can be up to 5% of their global turnover. They would also have to pay replacement card costs of an average £107 for every card that they have accepted. The service provider is likely to suspend their ability to accept card payments, and with the new General Data Protection legislation it seems possible that the Officers may also face legal actions for negligence.
OK, so your firm has just created the largest and most innovative Payment Services Framework in EU history – did you address this PCI DSS issue in the Framework?
It was a major and defining part of the exercise. Our research showed that 65% of responding Local Government Authorities were not compliant with the Standard, and that whilst most major private sector enterprises had gained compliance, their costs (both HR and financial) were far greater than necessary. Solutions are out there, and we packaged them up and made them available not only to government bodies, but to all UK businesses. It’s something we are very proud of!
And how do the costs compare?
In every case we have looked at there is a significant net saving even after full PCI DSS compliance measures have been included.
Let’s be precise, what do you mean by “significant”?
The average is well over 30%.
Has anyone else approached the problem in a similar way, what alternatives are out there?
The Crown Commercial Service (CCS) also produced a Framework to allow public sector operations to access card processing services. The CCS Framework didn’t include a PCI DSS compliance package at all though, and it isn’t available to private sector operations.
There are a lot of professional advisors out there (QSA’s) who offer a first class service to guide organisations down the path to compliance, and we are always happy to recommend the best ones to any operation that prefers the DIY route.
So what’s next for CPRAS?
We have already expanded our operation form a specialist card payments consultancy to one which advises government bodies and major businesses on all payment processing issues including Direct Debits, SEPA, Barcode payments and Swipe cards.
Whilst we’d love to shake things up in banking services, realistically it’s time to consolidate now. We are looking for a JV partner who can help us to take the Framework Services into the private sector to the fullest extent possible.