The Green Sheet Online Edition
November 26, 2007 • Issue 07:11:02
We're all in the PCI loop, like it or not
I must admit, like many ISOs in our industry, I figured the Payment Card Industry (PCI) Data Security Standard (DSS) didn't affect me. I thought as long as my processors and larger merchants do what they need to do to be PCI compliant, my smaller and mid-size merchants and I should be fine, right? Wrong.
The PCI DSS, often called PCI, is of great importance to our industry. And members of the GS Online MLS Forum were very responsive when I asked for their thoughts about it.
Michael Nardy stated, "The long-held way of dealing with things by sticking your head in the sand and saying, 'Oh, no ... not me ... doesn't apply here. I'm sure we'll just be notified when we need to do something,' is definitely the wrong way to handle PCI compliance. Merchants and ISOs alike should all be very proactive in this arena."
Practices, applications under scrutiny
The PCI DSS was created by Visa Inc., MasterCard Worldwide, American Express Co. and Discover Financial Services to standardize and improve data security practices throughout the industry.
The PCI Security Standards Council, which manages the PCI DSS, now also manages the Payment Application Best Practices (PABP) and has renamed it the Payment Application Data Security Standard (PA DSS).
Ken Musante, President of Humboldt Merchant Services, did a highly informative presentation about PCI at the Western States Acquirers Association meeting in October.
In response to my MLS Forum thread, Musante stated, "PCI is for real, and it is impacting merchants of all sizes. Certainly with all the acronyms, it can be very confusing for merchants. That's where we can all play a role, however.
"Visa has recently introduced a new set of compliance dates. On Jan. 1, 2008, acquirers can no longer purchase non-PABP terminals for merchant placement or board merchants with payment applications with known
Musante also explained why the card Associations are paying closer attention to small merchants now.
"Small retail merchants are getting breached," he noted. "Larger merchants and Internet merchants are (ever so slowly) putting in place the resources to stave off breaches. Evildoers are gravitating to smaller and less sophisticated merchants."
Education to the fore
As ISO owners and merchant level salespeople (MLSs), we need to be asking our equipment vendors if the terminals we deploy are PA DSS compliant. We should be concerned; this mandate of compliance could be very costly.
Most small merchants with terminals are fairly safe. "For the average retail merchant that most ISOs service, there will be little or no changes [due to PA DSS]," Mike Maxxon stated on the MLS Forum. "In reality, a majority of machines that have been sold in the last 10 years are in full compliance, although some procedures need adjustments." The majority of breaches are more likely to happen to small merchants; you just rarely hear about them. Here are some areas to watch closely:
- Hard copies of data
- Online data files
- Temporary data files
- Data intrusion
Educating yourself is very important. For the feet on the street, there are many places to learn about PCI. Industry shows make a point of including PCI as one of their many education panel topics.
Once you have basic knowledge, you can start passing that on to merchants. As Musante said, that is where we come in. "We can explain that 80% of all breaches (by number of breaches) are occurring at level 4 (smaller) merchants," he noted.
Livelihoods on the line
One of my biggest frustrations with this industry is the dishonesty. When an ISO, MLS, or processor rips
off merchants, we all suffer. Most of us can remember the Y2K and smart card scares used to sell new terminals and additional services to merchants who didn't need them.
This is happening again with PCI. One ISO is charging all his merchants a $250 per merchant PCI compliance fee, and the ISO is not sharing this with MLSs. With 5,000 merchants, for instance, that comes to $ 1.25 million - a lot of money to make based on people's emotions.
MLS Forum member Clearent said it best. "I have seen a number of companies charging merchants either monthly fees, or flat annual fees for PCI compliance costs," he said. "To me, this is just another example of an attempt to collect a fee - any fee.
"Yes, there is a cost, but it certainly isn't as large a cost as what is being passed on to the merchant. In doing these fees, the ISO is just leveraging a fear for a monetary opportunity.
"PCI is real - no doubt. However, if your processor is PCI compliant, and insures they remain so - the merchant is the next level of importance. Larger merchants already understand, ask TJ Maxx.
"As it trickles to the smaller merchants, I think they too will ensure compliance. However, it's up to us to ensure we don't leverage a fear like this."
I have heard too many stories about bogus PCI fees -from monthly to annual charges. It makes me uncomfortable. PCI compliance issues will be with us for the foreseeable future.
Prepare your customers so they can avoid data breaches, and don't let them be lured away by unscrupulous competitors.
Safari Njema. Safe journey.
Dee Karawadra is the founder, Chief Executive Officer and President of Impact PaySystem, based in Memphis, Tenn. He and his team have a wealth of knowledge on the merchant services industry, with a niche in the petroleum market. Dee's experience on the street as an agent has guided him in laying a foundation for an agent program that is both straightforward and lucrative for his agents. Contact him at 877-251-0778 or firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.