New study finds ISVs can streamline PCI compliance

Researchers have found achieving and maintaining Payment Card Industry (PCI) security standards compliance continues to be a challenge for small and midsize merchants. The 2018 ControlScan/MAC Acquiring Trends Survey, published Feb. 28, 2018, surveyed 115 acquirers, processors, ISOs and payment facilitators. Atlanta-based ControlScan, a global security company, co-authored the report with Merchant Acquirers' Committee, an organization of bankcard professionals involved in the risk management side of card processing. The organizations said the comparative analysis, aimed at tracking compliance trends, is their seventh annual survey.

Among identified trends, 67 percent of survey respondents with decreased compliance rates said their merchants had initially achieved compliance but subsequently failed to be revalidated. They attributed failures to lack of awareness of requirements and avoidance of recertification procedures, which have become more rigorous in recent years, according to some participants.

Chris Bucolo, Director, Marketing Strategy at ControlScan, said security breaches of small to midsize merchants have been numerous but underpublicized, leading many small merchants to mistakenly believe PCI compliance requirements do not apply to them. Pointing to Verizon's 2017 Data Breach Investigations Report, he said many hackers see small Level 3 and Level 4 merchants as low-hanging fruit.

"Many small business owners don't have the same protections in place as enterprise-scale organizations," Bucolo stated. "This lack of protection makes it easy for hackers to gain unauthorized access to their network or databases through a service provider or POS system."

Bucolo also suggested the high frequency of data breaches may have bred skepticism in the small merchant community, making some constituents wary when approached by third-party service providers, including trusted partners. He urged payment processors and service providers to maintain ongoing communication about security and compliance with their merchants.

ISV opportunities, benefits

A new section in the report highlights relationships between acquirers and independent software vendors (ISVs), with 49 percent of survey respondents engaged in partnering or integrating their service offerings with ISVs, and an additional 13 percent planning to launch an ISV partnership in 2018. These partnerships create new opportunities to reduce attrition and streamline PCI compliance, Bucolo noted.

"It's interesting to note this is the first time we've asked survey participants about working with ISVs," he said. "We were surprised by how many respondents are already focused on it or planning near-term projects. When small and midsize merchants get end-to-end encryption and managed security services through ISVs, they can streamline PCI compliance and reduce scope and upstream risk."

Survey respondents cited the following technology projects as implemented or planned:

• Validated P2PE solutions, which can reduce PCI scope (59 percent) 

• End-to-end encryption, which can reduce scope when verified by a PCI Qualified Security Assessor (49 percent) 

• A semi-integrated model, which can put an electronic cash register out of scope (43 percent)

• A managed firewall or other managed security service, which can be bundled with a PCI program (35 percent)

"ISV partnerships present a unique opportunity in terms of merchant retention, or 'stickiness,'" the report authors wrote. "Not only can they make it easier for the merchant to conduct business, they can also eliminate unnecessary hassle in the PCI compliance process."

For further information or to download the report, visit www.controlscan.com/2018-acquiring-trends-research-report/?utm_source=globenewswire&utm_medium=opr&utm_campaign=acquirer18

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.