GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Work that net:
The ABCs of online social networking


Industry Update

AmEx green with Web access

UIGEA, WTO rules at odds

Alternative currencies - better with plastic?

In the OTA we trust

Slaying the breach elephant

Selling Prepaid

Prepaid in brief

Complexities, solutions for prepaid fraud

Key players in Health Care 2.0

Unity and beyond


Social networking's impact on payments

Patti Murphy
The Takoma Group

A bigger bite for Visa, MasterCard

Ken Musante
Humboldt Merchant Services

Go remote: Boost security and profits

Stuart Taylor
Hypercom Corp.


Street SmartsSM:
Blog on, link in, tweet out

Jon Perry and Vanessa Lang

Marketing with social networks

Vicki M. Daughdrill
Small Business Resources LLC

Much ado about Twitter

Nancy Drexler
SignaPay Ltd.

Summiting the social networks

Dale S. Laszig
DSL Direct LLC

Payments and social networking:
A legal perspective

Adam Atlas
Attorney at Law

Level 4: The small-merchant PCI challenge

Joan Herbig

Company Profile

Global eTelecom Inc.

New Products

A new skimming antidote

Anti-Skim ATM Security Solution
ADT Security Services Inc.

Gift card network at your service

SparkBase 3.0


Lifelong learning: A business strategy



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 27, 2009  •  Issue 09:04:02

previous next

Level 4: The small-merchant PCI challenge

By Joan Herbig

While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve small merchants - defined as Level 4 by the Payment Card Industry (PCI) Data Security Standard (DSS). More than 6 million small merchants are doing business in North America; fewer than 5 percent have attested to compliance with the PCI DSS.

These are potentially costly statistics for acquirers, who ultimately shoulder the monetary burden should their merchants experience breaches.

Beyond their abundance, Level 4 merchants carry unique challenges. Acquirers can reduce their overall risk and dramatically improve compliance rates among these merchants by overcoming four often-overlooked pitfalls when designing their PCI compliance programs.

Challenge 1: Little awareness of security

Small merchants are focused on making ends meet. They have little awareness of - or time to focus on - security best practices. The few who have heard of PCI compliance typically don't know the standard applies to them. They assume PCI compliance is only for the "big guys" or e-commerce merchants.

Those who realize PCI compliance does apply to them often approach it as a perfunctory process. The benefits of better security often aren't clear to them, and they don't realize breaches could be catastrophic for their businesses.

Acquirers are required to develop a plan to address and educate small merchants about the PCI DSS. The PCI Security Standards Council (SSC) provides basic air cover, but acquirers that take a proactive, targeted approach to engage Level 4 merchants with a variety of educational materials and tactics will become valuable partners to their merchants and gain a competitive advantage.

Education should be a significant component of any acquirer's comprehensive merchant outreach strategy to drive PCI compliance. Examples of helpful educational tools for small merchants include:

Additionally, acquirers should advise small merchants against storing credit card data without a compelling business reason for doing so, and direct them to use Payment Application DSS-compliant applications. That way, small merchants will experience a simpler path to PCI compliance and reduce their risk of data compromise.

Challenge 2: Lack of technical expertise

Most small merchants have few or no technical staffers to manage the PCI compliance process. All of them are required to complete Self Assessment Questionnaires (SAQs) annually and maintain compliance throughout the year. Many have problems answering basic questions in the SAQ because the language is often aimed at technical users.

Questions like the following frequently arise:

Level 4 merchants typically have no idea how credit card data flows through their businesses, and most don't have security awareness programs to educate employees on best practices for ensuring the security of cardholder information. Thus, they are highly reliant on outside parties, including their acquirers or POS equipment vendors, and often receive conflicting advice.

Acquirers can help reduce confusion by providing small merchants with guidelines to answer SAQ questions that are specific to each merchant's environment. This makes it easier to complete the SAQ and improves the quality of responses. Acquirers may also want to consider providing security awareness training, in everyday language, to provide fundamental information small merchants need to guard against data compromises.

Going forward, acquirers may want to establish processes for obtaining sufficient information about their merchants' environments that will enable them to answer certain questions, such as what payment application a given merchant uses. This data could be pre-entered in an online SAQ to make the process easier and less frustrating for the merchant.

Challenge 3: Diverse merchant environments

Small merchants often need multiple touch points to become knowledgeable and engaged in the PCI compliance process. Retailers lacking computer or e-mail access present acquirers with challenges regarding how to fully track and convey compliance rates for their small merchant portfolios.

Acquirers must be prepared to provide paper versions of the SAQ to merchants without online access. Moreover, acquirers should develop a content management and reporting strategy for these one-off measures. This will ensure they maintain a holistic view of compliance for their merchant portfolios.

Acquirer portfolios frequently consist of large concentrations of non-English speaking merchants, which compounds the difficulty of the entire compliance process. While the PCI SSC provides the SAQ in English and six other languages, acquirers still face the issue of providing training and technical support to help merchants answer the questions effectively. Acquirers will need to formulate plans to provide the SAQ and support for completing the SAQ in multiple languages.

Challenge 4: Web site vulnerabilities

Small merchants with externally facing Internet Protocols (IPs) must complete quarterly vulnerability scans (SAQ Validation types 4 and 5) to comply with the PCI DSS. Small merchants face unique challenges in complying with this requirement.

Before scanning even begins, small merchants typically ask basic questions, including:

Most vulnerabilities found in small merchant scanning results require assistance from outside vendors to remediate. For example, dangerous structured query language injection and cross-site scripting vulnerabilities require a programmer to remediate; however, most merchants don't have a programmer in-house and are often not sure whom to commission.

The merchant's host also plays a role in remediating vulnerabilities, and while there are many cooperative hosts, some are not willing to make the changes required to bring the merchant into compliance.

Changes to consider

Developing and implementing a successful Level 4 compliance program is not easy, but acquirers that take the time to develop a plan that anticipates the unique challenges their small merchants face upfront will increase the likelihood of realizing much higher compliance rates and less merchant frustration.

Acquirers that don't have the time and resources to dedicate to comprehensive PCI compliance should consider partnering with a company that specializes in PCI compliance for small merchants.

Different deployment options exist, ranging from full outsourcing to a hybrid model, where an acquirer's support team is trained to handle some aspects of support. This helps ensure the acquirer is equipped with knowledge to answer basic technical questions that often stall merchants early in the PCI compliance process.

Security is becoming increasingly multilayered and complex, so even those with expertise have difficulty configuring security tools correctly. Acquirers managing a PCI compliance program should be prepared to "get in the trenches" to effectively support their merchants.

Whether managed in-house or externally though a third-party, a well-executed PCI program helps acquirers reduce risk and provides an opportunity for them to take a leadership position and establish stronger relationships with their merchants.

Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at or 800-825-3301.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios