The Green Sheet Online Edition
April 09, 2012 • Issue 12:04:01
As a PCI compliance role model, how do you measure up?
As one of the most widely known proverbs so elegantly states, there's no time like the present. This familiar adage can be applied to a multitude of situations and experiences, none more pressing than the financial industry's current focus on Payment Card Industry (PCI) Data Security Standard (DSS) compliance education and implementation among Level 4 merchants.
Nearly six years after the regulations of the PCI DSS took effect, a high level of discourse continues between Level 4 merchants and the acquirers that serve them regarding the significance of PCI compliance.
With the current state of confusion surrounding PCI compliance among these merchants, ISOs and acquirers, as well as merchant level salespeople (MLSs), are being called upon to provide expert opinion and guidance on the necessary steps for fully understanding and appreciating the value PCI DSS can provide to a merchant's business.
As an ISO or acquirer taking on this new role, the need to review your abilities as an expert in PCI compliance is incredibly important. Before you begin evaluating how you measure up as a PCI compliance leader for your merchants, let's review the latest findings on Level 4 merchants and the MLSs, ISOs, acquirers and banks serving them.
A 'perfect storm' of complacency
Over the past three years, PCI compliance and security provider ControlScan has conducted a series of extensive surveys aimed at gauging the Level 4 merchant stance on PCI compliance. According to the results of the November 2011 ControlScan and Merchant Warehouse Level 4 Merchant Survey, two trends have emerged as the main source of many merchants' insufficient compliance efforts:
- Small merchants' low awareness of PCI
- Their apathy toward the potential risk of a data compromise.
Researchers refer to the pair of trends as "a perfect storm of complacency."
According to the results of the 2011 study, while larger Level 4 merchants have begun to take strides to further educate themselves on PCI compliance, the smaller micro-merchants (businesses with fewer than 10 employees) continue to show signs of minimal to no understanding of the PCI DSS and the potential risk involved in failing to protect their customer data.
While these latest findings do suggest an increase in understanding and implementation within a portion of the Level 4 merchant community, there is still much that can be done to ensure that micro-merchants and the entire sum of Level 4 merchants in question strengthen their PCI compliance aptitude so they can establish the necessary data security measures for their businesses.
Wanted: Level 4 PCI compliance benchmarks
In response to its Level 4 Merchant Survey findings, ControlScan partnered with the Merchant Acquirers' Committee to create the first-ever study of acquirers serving smaller merchants.
This study, entitled Benchmarking Level 4 Merchant PCI Compliance: The Acquirer's Perspective, served to benchmark acquirers' experiences and current practices as they assist their merchants in fulfilling the compliance requirements set forth by the PCI DSS.
The January 2012 acquirer study was completed by nearly 150 randomly selected companies with portfolios ranging in size from fewer than 1,000 merchants to more than 50,000. Questions in the survey aimed to identify current PCI program practices within the ISO and acquirer community as well as the tangible benefits from these programs. The study's results served as a useful companion to the small merchant study.
Based on the responses ControlScan and MAC received from the companies surveyed, 94 percent of respondents currently provide a PCI compliance program for the direct benefit of their Level 4 merchants; 61 percent of those programs have been in place for two years or less. This bird's-eye view signifies an overall positive connotation toward PCI compliance from the perspective of the acquirer.
Digging deeper into the results of the survey, we uncovered several additional key findings:
- Acquirers with higher compliance rates are those who do more to assist their merchants.
- Processors lead the pack in achieving merchant compliance.
- Fewer acquirers with higher compliance rates experienced data breaches.
- Positive perception of PCI's value has a strong correlation to compliance rates.
- Acquirers need more "touch points" with merchants to improve PCI compliance.
- Noncompliance fees are acquirers' preferred method for driving compliance.
- Acquirers with higher compliance levels use more tools and technologies.
- Outsourcing the PCI program is "in" with acquirers.
While the results of ControlScan's previous merchant study provide confirmation of smaller merchants' apathy and lack of understanding toward PCI compliance, the results of the acquirer study provide ISOs and acquirers with a standard by which to measure their own success in preparing and educating their small merchants on the importance and the "how to's" of PCI compliance. By reviewing this snapshot of the industry, ISOs and acquirers can benchmark themselves against each key finding to target the specific areas they need to improve upon.
Polishing the apple
Although abiding by the general guideline of attributes drawn from the acquirer study results can serve as a starting point for revitalizing an ISO or acquirer's relationship with its Level 4 merchants, the negative attitudes or lack of understanding most of these merchants hold regarding PCI compliance won't be changed without significant added effort.
Introducing a variety of new techniques into an ISO or acquirer's standing PCI compliance program is the best way to combat merchant negativity and apathy. To aid ISOs and acquirers in moving forward as valued advisers to their merchants, ControlScan and MAC list several suggestions to improve PCI compliance programs, including:
- Positioning PCI as a value
- Educating merchants frequently
- Monitoring PCI program results closely
- Using additional tools and support to help merchants achieve PCI compliance
- Considering emerging technologies such as end-to-end encryption and tokenization
- Taking a balanced approach to driving compliance rather than relying on noncompliance fees alone for a long-term strategy
By implementing the suggestions detailed in this article, ISOs and acquirers can easily solidify their positions as industry experts and further strengthen the relationships they share with their merchants.
While the resources needed to achieve a better understanding and appreciation of PCI compliance are available, some ISOs and acquirers may require the help of outside experts to boost their progress. Regardless, if you are an ISO or acquirer, the time to revisit your PCI compliance program strategies and goals is now.
The annual ControlScan merchant study and the inaugural acquirer study by ControlScan and MAC point to an industry need for ongoing measurement of attitudes and actions toward PCI compliance. ControlScan remains committed to fostering this dialogue, as well as to creating simple means for Level 4 merchants to achieve and maintain PCI compliance.
Heather V. Foster is Vice President of Marketing for Atlanta-based ControlScan, a provider of PCI compliance and security solutions that fit the specific needs of small- to mid-sized merchants. She also serves as Vice Chairman on the Education Committee of the Electronic Transactions Association and can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.