GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Partnerships fuel portfolio growth


Industry Update

Direct Air's bankruptcy threatens JetPay

Coalition responds to retailers' debit rule complaint

Consultancy faults PCI tokenization guidance

Heartland breach suit settled

Selling Prepaid

Prepaid in brief

Expo meets expectations in atmosphere of change

Prepaid goes to Washington


Choosing a partner for life

Justin Milmeister
Elite Merchant Solutions

Technology, a catalyst for ISO growth

Mustafa Shehabi
PayCube Inc.


Street SmartsSM:
Plotting a prosperous future

Jeff Fortney
Clearent LLC

Is it time for you to resell integrated payment systems?

Paul Hunter
Sterling Payment Technologies

As a PCI compliance role model, how do you measure up?

Heather Foster

Use new card fees to build merchant rapport

Jeffrey Shavitz and Adam Moss
Charge Card Systems Inc.

Working with outside marketing experts

Peggy Bekavac Olson
Strategic Marketing

No more contract-signing hurdle

Steve Norell
US Merchant Services Inc.

Company Profile

Electronic Payment Exchange

New Products

Wireless payments at the restaurant table

Company: Viableware

Driving donations online for nonprofits

eSelectPlus with DonorDrive
Company: Moneris Solutions


Don't let hot leads slip away


Fulfilling brand promise



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 09, 2012  •  Issue 12:04:01

previous next

As a PCI compliance role model, how do you measure up?

By Heather Foster

As one of the most widely known proverbs so elegantly states, there's no time like the present. This familiar adage can be applied to a multitude of situations and experiences, none more pressing than the financial industry's current focus on Payment Card Industry (PCI) Data Security Standard (DSS) compliance education and implementation among Level 4 merchants.

Nearly six years after the regulations of the PCI DSS took effect, a high level of discourse continues between Level 4 merchants and the acquirers that serve them regarding the significance of PCI compliance.

With the current state of confusion surrounding PCI compliance among these merchants, ISOs and acquirers, as well as merchant level salespeople (MLSs), are being called upon to provide expert opinion and guidance on the necessary steps for fully understanding and appreciating the value PCI DSS can provide to a merchant's business.

As an ISO or acquirer taking on this new role, the need to review your abilities as an expert in PCI compliance is incredibly important. Before you begin evaluating how you measure up as a PCI compliance leader for your merchants, let's review the latest findings on Level 4 merchants and the MLSs, ISOs, acquirers and banks serving them.

A 'perfect storm' of complacency

Over the past three years, PCI compliance and security provider ControlScan has conducted a series of extensive surveys aimed at gauging the Level 4 merchant stance on PCI compliance. According to the results of the November 2011 ControlScan and Merchant Warehouse Level 4 Merchant Survey, two trends have emerged as the main source of many merchants' insufficient compliance efforts:

  1. Small merchants' low awareness of PCI
  2. Their apathy toward the potential risk of a data compromise.

Researchers refer to the pair of trends as "a perfect storm of complacency."

According to the results of the 2011 study, while larger Level 4 merchants have begun to take strides to further educate themselves on PCI compliance, the smaller micro-merchants (businesses with fewer than 10 employees) continue to show signs of minimal to no understanding of the PCI DSS and the potential risk involved in failing to protect their customer data.

While these latest findings do suggest an increase in understanding and implementation within a portion of the Level 4 merchant community, there is still much that can be done to ensure that micro-merchants and the entire sum of Level 4 merchants in question strengthen their PCI compliance aptitude so they can establish the necessary data security measures for their businesses.

Wanted: Level 4 PCI compliance benchmarks

In response to its Level 4 Merchant Survey findings, ControlScan partnered with the Merchant Acquirers' Committee to create the first-ever study of acquirers serving smaller merchants.

This study, entitled Benchmarking Level 4 Merchant PCI Compliance: The Acquirer's Perspective, served to benchmark acquirers' experiences and current practices as they assist their merchants in fulfilling the compliance requirements set forth by the PCI DSS.

The January 2012 acquirer study was completed by nearly 150 randomly selected companies with portfolios ranging in size from fewer than 1,000 merchants to more than 50,000. Questions in the survey aimed to identify current PCI program practices within the ISO and acquirer community as well as the tangible benefits from these programs. The study's results served as a useful companion to the small merchant study.

Based on the responses ControlScan and MAC received from the companies surveyed, 94 percent of respondents currently provide a PCI compliance program for the direct benefit of their Level 4 merchants; 61 percent of those programs have been in place for two years or less. This bird's-eye view signifies an overall positive connotation toward PCI compliance from the perspective of the acquirer.

Digging deeper into the results of the survey, we uncovered several additional key findings:

While the results of ControlScan's previous merchant study provide confirmation of smaller merchants' apathy and lack of understanding toward PCI compliance, the results of the acquirer study provide ISOs and acquirers with a standard by which to measure their own success in preparing and educating their small merchants on the importance and the "how to's" of PCI compliance. By reviewing this snapshot of the industry, ISOs and acquirers can benchmark themselves against each key finding to target the specific areas they need to improve upon.

Polishing the apple

Although abiding by the general guideline of attributes drawn from the acquirer study results can serve as a starting point for revitalizing an ISO or acquirer's relationship with its Level 4 merchants, the negative attitudes or lack of understanding most of these merchants hold regarding PCI compliance won't be changed without significant added effort.

Introducing a variety of new techniques into an ISO or acquirer's standing PCI compliance program is the best way to combat merchant negativity and apathy. To aid ISOs and acquirers in moving forward as valued advisers to their merchants, ControlScan and MAC list several suggestions to improve PCI compliance programs, including:

By implementing the suggestions detailed in this article, ISOs and acquirers can easily solidify their positions as industry experts and further strengthen the relationships they share with their merchants.

While the resources needed to achieve a better understanding and appreciation of PCI compliance are available, some ISOs and acquirers may require the help of outside experts to boost their progress. Regardless, if you are an ISO or acquirer, the time to revisit your PCI compliance program strategies and goals is now.

The annual ControlScan merchant study and the inaugural acquirer study by ControlScan and MAC point to an industry need for ongoing measurement of attitudes and actions toward PCI compliance. ControlScan remains committed to fostering this dialogue, as well as to creating simple means for Level 4 merchants to achieve and maintain PCI compliance.

Heather V. Foster is Vice President of Marketing for Atlanta-based ControlScan, a provider of PCI compliance and security solutions that fit the specific needs of small- to mid-sized merchants. She also serves as Vice Chairman on the Education Committee of the Electronic Transactions Association and can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios