The Green Sheet Online Edition
September 26, 2011 • Issue 11:09:02
PCI essentials for MLSs
The Payment Card Industry (PCI) Data Security Standard (DSS) can be confusing for processors, merchant level salespeople (MLSs) and for merchants alike. When I met Trustwave Vice President Greg Leos at the Midwest Acquirers Association meeting in July, I requested the opportunity to submit questions from GS Online's MLS Forum to him to further our understanding of PCI so we can help our merchants stay compliant.
Following is a Q&A between Leos and myself. It covers PCI basics. My next article will delve into specific rules pertaining to the Self-Assessment Questionnaire (SAQ) and will feature input from Trustwave's SAQ guru, Greg Rosenberg.
Bill Pirtle: I hear terms like "Level 1 merchants" and "Tier 4 merchants." What do these mean and what's the difference between them?
Greg Leos: Many payments industry terms are used interchangeably (ISO and processor; agent and MLS, etc.), and it is often confusing. This is also the case with terminology around the PCI DSS.
Taken straight from the Visa website, http://usa.visa.com/merchants/risk_management/cisp_merchants.html, the following chart is an easy to understand listing of the various merchant levels and corresponding validation requirements.
Small merchants (based on acceptance channel and processing volume) will fall into the Level 4 designation. Unless the merchant has an Internet Protocol address to scan, the business would simply need to successfully complete an annual SAQ to be considered compliant with the PCI DSS.
To help in this process, these merchants would be provided with an automated, online version of the SAQ ... to reduce the amount of time and effort required to complete it. It's important to note that the SAQ is designed to help discover vulnerabilities, so merchants should not be discouraged if they don't pass it the first time.
BP: What points regarding PCI compliance should ISOs and MLSs know?
GL: There is a lot of confusion among ISOs and MLSs about PCI compliance. This is unfortunate because data security creates an opportunity to strengthen the value that MLSs bring to their merchants. In my opinion, it's one of the more compelling and impactful topics I've seen in the payments industry in the last 10 years. While there are many things MLSs and ISOs should consider, here are my top three:
- MLS should recognize that the PCI DSS and Payment Application (PA) DSS are not marketing slogans promoted by the card brands, but a true set of standards created to reduce card fraud. Merchants - even small merchants on antiquated dial-up terminals - are exposed to some level of risk every time they accept a payment card.
It's vital that merchants understand their transaction processing environment and use the tools available to them to comply with the PCI standards to reduce their risk. The consequences of not doing so can range from having to pay card brand fines and remediation costs to forcing some merchants out of business.
Likewise, it's important that ISOs assist MLSs to understand the importance of PCI so that they can, in turn, properly communicate to their portfolio of merchants. [It is important that ISOs have] relevant PCI information that can easily be shared with merchant-facing salespeople to keep them up to date on important industry developments related to data security.
- Educating merchants on PCI can help position MLSs as business payments advisers. How often does a sales prospect immediately ask to see the lowest rate an MLS can provide them? By having a general understanding of PCI compliance and why it's important for merchants of all sizes, MLSs can begin to move conversations with merchants away from price and toward value.
Is saving two basis points on card acceptance really as important as having a program that can prevent you from paying thousands of dollars in fees and fines? Likewise, for those merchants already in an MLS's portfolio, a strong PCI program can create the "stickiness" that reduces merchant attrition and increases the value the MLS brings to merchants.
Helping merchants become aware of MLSs as an integral part of their businesses is key to keeping them engaged and successful, and I'm a big believer that a good understanding of PCI can help make this happen.
ISOs can help MLSs by providing them with a PCI merchant compliance program that is easy to understand, automated and efficient for both merchants and MLSs. This gives them the tools they need to be able to leverage PCI when selling to new customers and retaining the ones they already have.
- A merchant compromise impacts everyone on the payments food chain, particularly MLSs. I often hear the argument that small merchants with a dial-up POS that don't process many transactions don't really need to validate PCI compliance. I couldn't disagree more with this statement. It's these small merchants that cannot sustain the financial consequences of a breach.
Card replacement costs, card brand fines and breach remediation costs can add up fast, and the final tally can be in the tens of thousands of dollars. Local merchants like the dry cleaner, the deli or the small diner are often the lifeblood of an MLS's residual stream.
The ability to keep them in business and out of harm's way ties directly to continued success in the payments business. It's critical to protect residuals by helping merchants protect themselves against what can be a business-changing event.
Comment from BP: Leos makes a great point. Many MLSs focus on how scans are not needed by Level 4 merchants using dial-up terminals. If we did a better job of teaching merchants how to secure card data, they would likely become more viable constituents in our portfolios.
BP: How much benefit do you feel mandating EMV chips in cards will actually bring?
GL: Visa recently indicated that it has plans to push for migration to EMV technology in the United States. While I believe that adding additional layers of security within the payments cycle is generally beneficial to everyone involved, I do have some questions as to the impact EMV will have moving forward.
The term EMV refers to the Europay/MasterCard/Visa chip card that's used in many parts of the world but has never been embraced by merchants or deployed with much success in the United States. These cards use a more complex authentication process at the POS than the traditional magnetic card stripe swipe, thereby reducing a merchant's risk and exposure to fraud in a card-present environment.
Obviously, reducing exposure to a data breach is added value that merchants acknowledge as good for their businesses. The challenge is that while current POS systems will accept EMV cards, most don't have the capability to take advantage of the contactless, data security features that these types of cards offer.
The time and cost barriers at the merchant level may impede the speed of adoption, which will reduce the positive impact EMV could bring to our industry.
Any impact from the announcement is going to take time, as the rollout doesn't begin until October 2012. It will also be interesting to see if the other card brands follow Visa.
Comment from BP: One benefit for MLSs, along with terminal suppliers, is that mandating EMV will create a need for EMV-capable terminals. While I'm not a fan of leasing single terminals, this would be an ideal way to bring more income to MLSs and benefit merchants, provided the leases are reasonable. The effect new terminal needs would have on ISOs that provide free terminals to merchants is unknown.
Banks are limited by Durbin Amendment enactment to recover fraud costs, and merchants bear the brunt of fraudulent use. Perhaps mandating EMV in the United States will pay for itself quickly by limiting fraud for card-present transactions.
Banks could phase in the new cards, and MLSs could justify the requisite new terminals in terms of reduced fraud expenses for brick-and-mortar merchants.
BP: Beyond the small-merchant compliance portal, does Trustwave offer other services merchants might need? Is there someone there merchants can contact if they have a breach?
GL: Yes, Trustwave is a comprehensive data security and compliance company that serves merchants of all sizes. For our ISO and acquiring partners, we excel at Level 4 merchant compliance programs and automation.
We're both a QSA and an ASV for the PCI Security Standards Council, providing a wide range of products and solutions to merchants of all sizes.
Trustwave can work with merchant service providers directly to conduct their assessment. In addition, our ... forensics investigation team (Trustwave SpiderLabs) conducts research and forensics investigations in the event that a merchant does have a data breach.
For the small-merchant population (Level 4), we believe the most effective way for MLSs to get their merchants PCI-compliant is to work through their merchant acquirers to enroll these merchants into cost-effective, automated PCI programs.
Thanks to Greg Leos for answering these questions on the PCI DSS, as well as for making Greg Rosenberg available to dig down to details needed for better understanding of PCI and the SAQ. Look for Rosenberg's insights on the SAQ in issue 11:10:01. If you'd like to contact Leos directly, email him at email@example.com, or phone him at 312-873-7689.
What you do today determines your tomorrow.
Bill Pirtle is the President of MPCT Publishing Co. and author of Navigating Through the Risks of Credit Card Processing. He is also a merchant level salesperson for Clearent LLC, Electronic Payments Inc. and Electronic Merchant Systems Inc. Bill's website is www.creditcardprocessingbook.com, and his email address is firstname.lastname@example.org. He welcomes all connections on Facebook and LinkedIn.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.