The Green Sheet Online Edition

Complacency an obstacle to PCI compliance

Since the inception of the Payment Card Industry (PCI) Data Security Standard (DSS) in 30%4, PCI compliance has been a gradual process for most merchants and acquirers, starting with Level 1 and 2 merchants and wending down to Level 4 merchants. To gain a snapshot view of current trends and attitudes toward PCI compliance, ControlScan and Merchant Warehouse conducted a survey of nearly 620 Level 4 merchants and released its findings in A 'Perfect Storm' of Complacency: The Third Annual Survey of Level 4 Merchant PCI Compliance Trends.

"When you look at general PCI compliance awareness, we found some increase versus last year, but only about 6 percent more of the respondents had some awareness of PCI compliance," said Heather Foster, Vice President of Marketing for ControlScan. "For the folks who have some awareness of PCI compliance, 57 percent claim that they have validated, which is 10 percentage points more than last year."

Foster said more Level 4 merchants who have become aware of the PCI DSS are now taking action. However, she saw striking differences between micro-merchants with one to 10 employees and Level 4 merchants with 51 or more employees. Survey percentages for micro-merchants were "much lower than the larger Level 4 merchants in their responses to all the questions," she said.

Foster believes that to help guide Level 4 merchants, ISOs and merchant level salespeople should be prepared to educate merchants early in the boarding process. "Level 4 merchants represent 98 to 99 percent of all merchants, but they are not a one-size-fits-all group," she said. Instead, she suggests general communications to build awareness, followed by tactical strategies that address specific merchant needs.

"Because most of these merchants, in fact 83 percent of them, think that they have little to no risk of data compromise, sharing real-life examples will help educate them that these instances do happen," Foster said. "It's a regular, sustained approach on education that's important, because PCI is not the main focus of their business."

Markiyan Malko, PCI Security Compliance Officer and Program Manager for Merchant Warehouse, said, "The other piece is that you actually need to provide them with a program where you can help them become PCI compliant. Most of the Level 4 merchants, especially if they're doing the harder SAQ D, probably 95 percent of them, can't do it alone. They actually need outside help from somebody."

Survey highlights

Following are summary findings from A 'Perfect Storm' of Complacency: The Third Annual Survey of Level 4 Merchant PCI Compliance Trends:

Percentage of respondents familiar with PCI DSS:
Yes, very	19 percent
Yes, somewhat	34 percent
Unsure	22 percent
Not at all	25 percent
Reasons given for not completing PCI compliance process:
Don't understand	63 respondents
Still working on it	54 respondents
Don't have the resources	48 respondents
Don't care; it's too hard	17 respondents
Top three contacts for data security, PCI compliance:
Merchant bank	39 percent
POS/payment application vendor	32 percent
Hosting provider	19 percent
Don't care; it's too hard	17 respondents
Percentage who view security as a high/medium priority:
Respondents with 51+ employees	97 percent
E-commerce respondents	94 percent
Hosting provider	19 percent
All Level 4 respondents	83 percent
Perceived level of risk for data compromise to respondent businesses:
Low risk	74 percent
Medium risk	16 percent
No risk	9 percent
High risk	1 percent
Percentage of respondents who've validated PCI compliance:
Yes	57 percent
Unsure	23 percent
No	20 percent

ETA/TSG report on U.S. economy

A joint report on the U.S. economy was released by The Strawhecker Group and the Electronic Transactions Association in November 2011. U.S. Economic Indicators Q3 2011Report provides a detailed analysis of economic data compiled from government reporting services and other reputable sources.

The current edition contains 26 pages of graphs and analyses of leading macroeconomic indicators, including gross domestic product, consumer spending and wages, and small business optimism; microeconomic indicators segmented by geographic region and retail sector; and an in-depth analysis of payment indicators based on data collected from leading credit and debit card brands and alternative payment providers.

Four leading industry trends

The report identified the following industry trends:

• The payments industry is shielded against economic volatility
• Electronic payments still have significant growth opportunity
• Merchant portfolios have seen dollar volume attrition decline during the recovery period
• Merchant portfolios have seen net revenue attrition increase during the recovery period

As an indicator of the payments industry's resiliency during periods of economic volatility, the report details how bankcard volumes as a share of total consumer spending have grown at a compound annual growth rate of 24 percent since 1991, and were up 7 percent for the third quarter of 2011. Bankcard volumes, at 30 percent of the $1.15 trillion in nondurable goods spending, are projected to capture a greater share of the $805 billion in non-card-based payments moving forward, the report stated.

TSG's proprietary Merchant Portfolio Performance Study, which represents data collected from 840,000 merchant accounts, showed that year-over-year merchant dollar volume increased 16 percent in the second quarter of 2011, with ending net revenue up 10 percent over the same period.

Digital wallet up for grabs

A 56-page Impact Report from Aite Group LLC, Digital Wallet: Who Will Win the Game?, provides an overview of key stakeholders in the digital-wallet race, assesses challenges in the marketplace and evaluates strategies being deployed by individual players to win a slice of the proximity payments pie. According to report author Rick Oglesby, "The playing field is set for a major battle, and traditional payments powers appear to be at a disadvantage."