By Patti Murphy
ProScribes Inc.
It's time for the industry to get fully behind a card security regimen that benefits everyone in the payment stream: merchants, customers, issuers, acquirers and the card brands, too. And the first step in that process should be an honest and open dialogue about the vulnerabilities that exist and how they can best be contained.
The urgency of the situation is being driven by news reports of breaches involving high-profile retailers, like Target Corp. and Neiman Marcus Group, as well as spiraling costs – both social and financial.
The Ponemon Institute, a Michigan think tank that conducts regular data security research, reported in 2013 that 60 percent of the small and midsize businesses it surveyed had experienced at least one data breach in the preceding 12 months; 51 percent said their businesses' reputations had been damaged as a result of those breaches. The average cost of each of those breaches was $900,000, Ponemon noted.
The online channel is especially vulnerable. A 2012 consumer survey by the Edelman Data Security and Privacy Group found the vast majority of consumers (84 percent) consider information privacy and security to be very important when purchasing items online. Yet only 33 percent said they trusted online retailers to properly protect their personal information.
Not long after the initial news reports about the Target and Neiman Marcus breaches, I was shopping at a small store and I found myself engaged in a conversation about card data breaches. "You know, it's a lot safer using your card at a small shop like ours, because [cyber-criminals] don't even know about us," the store manager said.
I couldn't let that pass without comment. "Who is your acquirer?" I asked.
"Heartland," she responded.
"Are you aware Heartland was breached a few years ago?"
She wasn't, and as it turned out, the store had a different acquirer at the time, so it wasn't affected by that breach. But the entire exchange got me to thinking about just how uneducated many merchants are about card data security, and how acquirers, ISOs and their partners can and should do more to turn the situation around.
A report released earlier this month by the payment security company ControlScan Inc. and the Merchant Acquirers' Committee illustrates my point. Just 44 percent of the merchant services providers surveyed said they offer clients risk-reducing tools or services beyond just providing access to the Payment Card Industry (PCI) Data Security Standard (DSS) Self-Assessment Questionnaires and external vulnerability scanning.
Among ISOs and acquirers that do offer additional services, tokenization and point-to-point encryption are the most common, the survey revealed. With tokenization, sensitive cardholder information is masked with unique identifiers for purposes of authorizing and completing transactions. Tokenization has emerged as a viable security option, especially when used in conjunction with encryption, because it eliminates the possibility of merchants retaining card account information. That, in turn, reduces merchants' PCI compliance costs.
Some may balk at the notion of lowering merchant compliance costs, as in many cases PCI compliance fees contribute to bottom-line profits of ISOs and acquirers. But that's a short-term view of a long-term problem. And it doesn't bode well for merchant retention.
"Today's threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, Vice President of Marketing at ControlScan. "Small merchants in particular need guidance in terms of readily available technologies and services that reduce PCI scope and support a strong security posture."
Susan Matt, Chief Executive Officer of payment consulting firm ThoughtKey Inc., and a MAC member, said the survey results point to significant opportunities for merchant acquirers and their sales partners. Among these are the "ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," Matt noted. And companies that "seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention," she added.
Further findings from the ControlScan/MAC survey suggest acquirers and their partners are making progress toward greater PCI-compliance validation among small merchants. For example, more companies are seeing portfolio compliance rates that exceed 40 percent. On the flip side, the survey revealed there has been a 23 percent increase in the number of merchant breaches since 2012.
The report contains results of ControlScan's latest poll of acquirers' perspectives on PCI compliance. Titled Building Momentum: The Third Annual Survey of Acquirers' Perspectives on Level 4 Merchant PCI Compliance, it also includes recommendations for successfully engaging merchants in the PCI compliance process. I've summarized those here, along with additional common-sense ideas gleaned from my conversations with industry leaders.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at patti@greensheet.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next