The Green Sheet Online Edition
November 12, 2012 • Issue 12:11:01
Coping with PCI noncompliance fees
The PCI Security Standards Council developed a set of security standards to protect cardholder data. We have all heard examples of security breaches at merchants both large and small. These breaches, which often involve stealing cardholder information, result in fraud on the card-issuing system.
The liability for that fraud is carried by all the participants in the network, including the merchant, POS provider, gateway, processor, ISO, acquiring bank, payment network, issuer and cardholder.
Yet to make cards as easy as possible to use, the network tries, wherever possible, to avoid making consumers liable for fraud, except when the consumers, themselves, are the perpetrators of the fraud.
Merchants are first in line for fines
For security or revenue purposes, or both, the payment brands have instituted fines on merchants for security breaches and Payment Card Industry (PCI) Data Security Standard (DSS) noncompliance that have been very costly for the merchants.
For example, my firm advised a pizza restaurant that unknowingly stored 15,000 credit card numbers on a server in its back room. After criminals from overseas hacked into the server and stole the numbers, the restaurant was fined over $300,000 by a payment brand for PCI noncompliance and the breach. The fine put the restaurant out of business.
It was never revealed to the merchant to what extent the stolen cards were used, if at all. In other words, the process of ascertaining and levying these fines does not take into account the actual fraud committed. Instead, the fine is often calculated as a function of the cost of replacing the stolen card numbers, which is about $36 per card account.
The disconnect between the total amounts of fines levied and the harm done implies that business factors drive the magnitude of the fines, rather than just an interest in maintaining security and repairing the wrong done by a breach.
A gulf between the objective and reality
A semblance of PCI compliance is achieved when a merchant completes a self-assessment questionnaire that helps the merchant identify PCI issues. All merchants are supposed to complete these questionnaires. Anecdotally, only about 20 percent have done so.
This means a majority of merchants have failed to take the first step toward being PCI compliant.
The big question for our industry is how to deal with this mass of merchants who, for any number of reasons, just don't bother to begin compliance efforts. Considerable factors may be that some of these merchants are new to America, not fluent in English or too busy to spend time on technical questionnaires.
The processor as sheriff
As trustees of the rails on which the financial system rests, processors are ultimately responsible for remitting the face value of fines to acquirers when their merchants fail to do so. Thus, they act as a kind of receiver for the payment networks in the administration of the PCI system.
Whether to motivate merchants to become more compliant or to earn fees from the whole PCI phenomenon, processors working for the benefit of acquirers, as well as themselves, levy fees on ISOs for not doing enough to bring merchants into compliance. These PCI noncompliance fees are the source of a lot of consternation in the industry right now, mostly because they do not appear to be grounded in objective agreements between the parties levying them (processors) and the parties being asked to pay them (ISOs and merchants).
Within the verbiage of merchant agreements, merchant pricing is usually subject to adjustments of various kinds, but ISO agreements usually do not allow the processor as much leeway to adjust pricing. Indeed, if processors had the unfettered right to change ISO pricing for any reason, the negotiation of ISO agreements in the first place would become pointless.
The ISO as enforcement deputy
ISOs have become the often-unwilling enforcers of PCI compliance programs and are required by processors to sell hefty PCI noncompliance fees to merchants. These fees, originating with the acquirer, are uneven and sometimes arbitrary; and they get marked up as they are passed down through the processor to the merchant.
Some ISOs have found a sweet spot in this chain of events, finding a way to entice their merchants to pay PCI compliance or noncompliance fees and earning enough from those fees to justify the effort of selling them.
Other ISOs are struggling to keep up with new and seemingly arbitrary compliance fees from processors, which result in irate merchant calls, spikes in attrition and loss of competitive advantage.
As deputies enforcing PCI compliance programs, ISOs hold double-edged swords; they can either pass the fees through to earn more in a market with ever-shrinking margins, or absorb the fees to preserve their portfolios while taking enormous reductions in residuals.
ISO agreement pricing amendments
Because of interchange and other infrastructure costs that adjust over time, ISOs are accustomed to pricing changes in their ISO agreements, without great interference in the essential commercial understanding of the agreements.
ISOs are not, however, accustomed to new charges, such as PCI noncompliance fees, that do not appear to be based on some objective calculation of costs to the processor. In recent months, a spate of new fees has been tacked on to ISO agreements, often for PCI noncompliance, which the ISOs are supposed to pass through to their merchants. A problem arises when no rational basis exists for these new fees. The amount of the fee can seem arbitrary.
For example, a fee of $10 could just as easily be $100. Therein lies the crux of the crisis that many ISOs find themselves in now. They are flustered not by the addition of a new fee, but rather by the fee's lack of grounding in third-party costs or other objective determinants.
If the PCI noncompliance fees are levied on ISOs, effectively implementing a mandatory amendment to ISO pricing without their consent, ISOs are left wondering why they bothered to negotiate ISO agreements in the first place. Hopefully, processors will back down and keep their promises to ISOs to charge fees that are based upon the agreed pricing schedules. Time will tell.
In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at email@example.com or call him at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.