We are finding many Revenue Cycle Management (RCM) companies who have been given terrible information about how to collect and process patient payments from their existing credit card vendor. In the Payment Card Industry (PCI) that includes Visa, Mastercard, Discover and Amex there is a credit card processing classification call Payment Facilitator or PayFac. PayFacs are allowed to collect payments directly from a patient and then forward those payments over to the their clients. Companies such as Square are classified as a PayFac but are required to meet very stricture rules set up by the PCI industry as well as meet money transmitters rules that are regulated by state banking commissioners. As you will see below just to be approved to become a PayFac by a credit card processor the process is arduous and expensive. I would expect to spend around $50,000 on the PCI audit if you can even get compliant. With regards to the money transmitter rules each of the 49 states require a money transmitter surety bond with widely ranging amounts from as little as $25,000 to over $1 million and maintaining a minimum capital requirement. Square was fined in Florida $507,000 for not being registered as a PayFac.
If you are an RCM company who is currently collecting payments from patients with those funds being deposited into your bank account and then forwarding these funds over to your medical groups or hospitals you are a Payment Facilitator or PayFac. If this is the case you will be shut down immediately by Visa/Mastercard/Amex as well as risk state fines such as the one levied on Square once discovered.
Below are the requirements to become a PayFac from one of the largest credit card processor in the country:
Business Financial Background
1. PFac/PF Submission Form with PFac Questionnaire and Site Visitation Form
2. Summary of Business history and operations - Describe the business history, model, products/services and operational infra-structure to support PFac model.
3 (a) Articles of Incorporation or Partnership Documents
3 (b) DBA - Fictitious Name Filing Required
4 Two (2) years Corporate Audited Financial Statements and Interim Financial Statements including P&L and Balance Sheet. If audited are not available, then statements prepared in accordance with GAAP.
5. Two (2) years Corporate Tax Returns
6. Principals' biographical profile and work history/resume for signer’s with 20% or more ownership
7. Two (2) years Personal Tax Returns OR Personal Financial Statements for Principals with 20% or more ownership
8. Names, addresses, telephone #, Social Security #, and % of Ownership for Principals with 20% or more ownership
9. Copy of Driver's License for Principals with 20% or more ownership
10. Current Merchant Processing Statements (previous 3 months)
11. Bank Reference(s) - Provide the Bank, Contact Person & telephone number, and ABA/DDA Numbers.
12. Organization chart of Risk Management staffing by function (Underwriting, Fraud, Risk, etc). Provide details the number of employees on the Risk Management staff, and background/experience profile or resumes on Senior Risk Managers.
13. Document the Process, Policies, and Procedures on the following:
13 (a) Know Your Customer (KYC) - Describe the methods/tools used to “validate” the Business Operations and the Principals (Owners) of Sub-Merchants.
13 (b) Fraud Monitoring - Describe the processes/reporting/systems to monitor Fraud among Sub-merchant transactions.
13 (c) On-going Risk Management - Describe the ongoing monitoring program to manage the Risk of Sub-merchants
14. Sub-merchant Portfolio Information for all Sub-merchants which will participate in PFac program - see “Sub-merchant Info Spreadsheet”
15. Copy of Annual PCI Level 1 Compliance Version 3.1 PCI SSC Vallidation Document
16. How will the First Data Operating Guide be distributed to Sub Merchants?
16 (a) If on website please list website where it can be found by Sub Merchant?
17. Business Continuity Plan
18. AML Questionnaire (response to questions in file)
PFac/PF Registration Sponsorship Documentation
19. Level 1 - AOC (Attestation of Compliance) Service Provider & Executive Summary from the ROC (Report on Compliance)
20. List of Third Party Service Providers who have access to Cardholder Data or offer any Third Party Services to your Sub-merchants - e.g. Payment Gateways, etc.
21. List of Third Party Service Providers who will perform PIN Pad Encryption, if applicable (note there are additional requirements for ESOs - Encryption and Support Organization)
22. Name of Third Party Vendor conducting on-going Sub-merchant URL screening
23. Marketing materials, sales brochures, solicitation forms, websites (URL) used to solicit Sub-merchants
24. Website/Payment Page, if the PFac is accepting card payment on their website versus on the Sub-merchant's website
25. Sample of Sub-Merchant Application
26. Merchant Decline Letter - if Credit Score is a factor the letter must follow the Fair Credit Reporting Guidelines for decline of account
27. Registration Templates for MasterCard and Visa.
28. Signed Contract with the PFac
29. Billing Instructions for initial Registration Fee and Annual Renewal Fee