GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Social media reshaping the marketing landscape


Industry Update

SEPA moving forward incrementally

Square evolves but will it prevail? by Visa the answer or an answer?


Research Rundown

A company built for its agents

Reach out and engage someone

Selling Prepaid

Prepaid in brief

Longevity, inclusion sought in new AML rules

Risks posed by extra links in prepaid value chain


Money isn't what it used to be

Jeffrey I. Shavitz
Charge Card Systems Inc.


Street SmartsSM:
EMV, are we there yet?

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

'Tis the season of happy (hacker) days

Rich Running
SecurityMetrics Inc.

Pushing past roadblocks to success

Jeff Fortney
Clearent LLC

Game plan 2012

Karin Bellantoni
Blueprint SMS

Getting Level 4 merchants to the PCI doctor

Tim Cranny
Panoptic Security Inc.

Discipline and persistence pay off

Peggy Bekavac Olson
Strategic Marketing

Company Profile

SignaPay Ltd.

New Products

A virtual call and payment center

IVR Pay-by-Phone gateway
Global eTelecom Inc.

A cloud-based payment remedy for docs

Medical office billing/payment portal
Kareo Inc.


Giving - the scalable solution


2012 Calendar of events



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 12, 2011  •  Issue 11:12:01

previous next

Getting Level 4 merchants to the PCI doctor

By Tim Cranny

By now, most of us know the basic history of the Payment Card Industry (PCI) Data Security Standard (DSS). In the early days, the industry focused on bringing large, Level 1 merchants into compliance with the standard.

This produced high levels of success, primarily because Level 1 businesses have security and information technology experts on staff.

The program slowly expanded to smaller merchants - Level 2 and Level 3 organizations - but showed diminishing success the closer it came to the smallest, Level 4 businesses. Now, progress with PCI compliance has slowed significantly; some would say it's even ground to a halt, especially when dealing head-on with Level 4 merchants.

Why? To explain, I propose this analogy: for a small merchant, the PCI process is like having a colonoscopy.

Surveys show that merchants consider PCI a "check-off" item and a nuisance replete with mysterious processes and requirements. A colonoscopy is a medical procedure that provides a health check at only one moment and needs to be repeated over time to ensure continued health.

Like patients in need of colonoscopies, most merchants don't understand that PCI needs to be a regularly repeated process, that the risks it deals with are real and substantial, and that the worst-case scenario is potentially life-ending for businesses.

Sobering data

Recent surveys report that close to 50 percent of small merchants can't explain the basics of the PCI DSS. Not only are these merchants not compliant, they don't even know what compliance consists of.

My colleagues and I speak regularly with multiple industry sources, and the consistent picture we see is that most Level 4 PCI programs have a compliance rate of around 10 percent.

Even Visa Inc.'s recent statistics gave specific validation percentages only for merchants in Levels 1 through 3. But for Level 4 merchants, Visa said only that compliance is moderate, with the following footnote: "Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications [emphasis added]."

I suspect many ISOs, processors, acquirers and payment brands use sanitized words like "moderate" or "lower" because they sound better than saying "really, truly bad."

Opinions vary as to why this stall is occurring among small merchants. But one reason is that Level 4 companies have little or no access to security experts, technical help and network administrators. For most small merchants, the PCI DSS and Self-Assessment Questionnaires (SAQs) may as well be written in Swahili.

So I propose we payment professionals and data security experts ask ourselves, How do we convince more merchants to get their regular security colonoscopies?

Dangling carrots, carrying sticks

Obvious tactics include carrot and stick approaches. A carrot could be offered in the form of cheaper PCI processes and lower fee structures for those who comply.

The stick approach would be reserved for merchants who don't respond to the carrot: they could face large noncompliance fees for failure to comply.

Neither of these solutions will ever work without substantially increasing the dollar penalties, which could interfere with the entire payments industry in unforeseen ways.

Make the penalties too big and merchants may seek uncaring, reckless service providers that don't require PCI compliance or just run fake, "everyone passes" programs.

Yet keeping fees reasonable does not provide the requisite motivation needed to get merchants to execute the thorny PCI process. Even if the process were free, what would happen? Do we really think we'd get Black Friday-sized crowds at Free PCI Colonoscopy Day?

Instead, we need to start by acknowledging the core structural problem. PCI compliance is frustrating, confusing and scary for merchants because they are usually lost when it comes to understanding what the PCI DSS is asking them to do. As a simple experiment, I opened SAQ D Version 2.0 at a random spot. The first question I found was 4.2, which discusses wireless encryption and 802.11i.

The issues it raises are perfectly real. But 99 percent of merchants don't know a thing about encryption or the IEEE Standards Association and naming conventions. Do we really expect them to become diligent amateur encryption experts?

Lifting the burden

Merchants don't understand the terms and implications of the standard. They also vastly underestimate the risks, and most couldn't answer the questions accurately if they tried. You'd be a lot more likely to agree to a colonoscopy if the doctor:

It doesn't work to simply ignore the details; data security problems are real, and addressing them is often a technically messy process. But the merchant doesn't have to be

the expert. Software that takes the burden of expertise off the merchant might be the answer.

Just as Intuit Inc.'s TurboTax software protects tax filers from the complexities of the raw tax code, I believe the solution to the Level 4 compliance problem is to provide clever PCI software that protects merchants from the pain and stress of the PCI DSS.

So how do you design software that handles the problem of busy merchants who lack technological savvy? The SAQ process needs to be re-emvisioned and presented to merchants from their perspective.

We need to give them language that they understand, ways to avoid questions that don't really apply to them and expert tools that invisibly guide them to the right answers. I have found that by supplying these, payment professionals can:

For some, a failure to launch

Using such an expert system technology can boost compliance rates. It can pinpoint in detail places where merchants are falling out of the program so corrective steps can be taken immediately.

And when seeking to pinpoint compliance pitfalls, here's an illuminating question to ask: What is the overwhelming reason why merchants do not complete their PCI compliance? My experience shows the answer is that they never log into the compliance software in the first place.

This presents us with a new problem, but one that is easier to manage. In order to drive compliance percentages above 49 percent, we must find a way to get merchants to log in. This is where those carrots and sticks come in.

The need for progress also begs the question: Is it counterproductive for the whole industry when PCI vendors hide their compliance results? With secrecy, how will we ever know what works and what doesn't?

Maybe ignoring the fee issue and focusing on the real barriers to success will help get more patients into the doctor's office.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599-3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios