GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Health care: When will payments stake its claim?


Industry Update

Hats in the ring for ETA awards

All clear for Intuit, ECHO merger

California chomps on gift card leftovers

Acquiring today, a shapshot

L60 at odds with Pipeline

EC interchange ruling: Merchants applaud, MC digs in

Swipe 'n shred, self-service fraud foiler


Terence Van Horn

Triton layoffs changes, challenges

Tracy Kitten



Hot, hotter contactless and mobile

David Talach


Street SmartsSM:
Winter profit-land

Dee Karawadra
Impact PaySystem

Drill down to the fine print

Jeff Fortney
Clearant LLC

B2B and B2G: The road ahead

Aaron Bills
3Delta Systems Inc.

POS system power

Maxwell Sinovoi
United Bank Card Inc.

Interviewing for quality

Curt Hensley
CSH Consulting

PCI compliance: Don't forget the little guys

Ken Musante
Humboldt Merchant Services

Company Profile

Credit Cash

New Products

Eco-friendly two-sided receipt printing

2ST thermal receipt printer
NCR Corp.

Wireless terminal for mobile pros

Blue Bamboo H50 POS terminal
Blue Bamboo


Clean slate, new fate





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 14, 2008  •  Issue 08:01:01

previous next

PCI compliance: Don't forget the little guys

By Ken Musante

We have all heard and read about the national breaches such as the 40 million cards compromised from CardSystems Solutions Inc. or the nearly 100 million cards compromised at TJX Companies Inc.

Most industry veterans understand that to serve merchants as a third party and handle cardholder data, they must be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).

Becoming PCI compliant can be complicated, difficult and expensive. For the past few years, the industry has been pushed - practically shoved - to get in compliance, or face potential fines.

So much focus has been on larger merchants that it has crowded out the applicability to the majority of merchants.

Level by number

By far, the greatest number of merchants reside in the card Associations' level 4 category.

By definition, level 4 merchants are those who process fewer than 20,000 Visa Inc. or MasterCard Worldwide e-commerce transactions per year and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year. (For more information, see "Shape up those level 4 merchants - now," by Ken Musante, The Green Sheet, June 25, 2007, issue 07:06:02.)

These merchants receive the least attention from the card Associations because they touch a much smaller number of cards. Breaches occur every day at level 4. In fact, TrustWave reported 62% of breaches occur at small to mid-sized merchant businesses.

Additionally, like many seen on a national level, breaches from smaller merchants are occurring at storefronts that have more valuable magnetic stripe data available.

A 2006 Merchant Link survey found 60% of bars, restaurants and lodges were not aware of the PCI DSS. Rules run wild If that was the case in 2006, the flurry of additional rules has done little to clarify things for small retailers and service establishments.

The PCI Security Standards Council took the reigns of Visa's Payment Application Best Practices in November, renaming it the Payment Application Data Security Standard (PA DSS). (For more information, see "Farewell PABP, hello PA DSS," The Green Sheet, Nov. 26, 2007, issue 07:11:02.)

The new rules are meant to ensure merchants only use hardware and software that satisfies the PA DSS. The new requirements consist of the following:

This information may be confusing to merchants, but you can use that uncertainty to better sell merchant services.

After all, you are not selling data security solutions; you are selling secure payment processing. Because of the complexity of both the PCI DSS and available information pertaining to it, selling secure payment processing is different than selling other services.

Thorough method

Specifically, when selling secure payment processing one must motivate, introduce, educate and close.

Merchant prospects may not even realize they have potential issues. Consequently, prospects must first be motivated to even listen to your pitch.

To do this, carry national stories to draw attention. To personalize the sales presentation, bring examples of local breaches.

Almost every community has some articles on a local breach you can easily research for your presentation. These local examples will provide greater motivation, as they involve merchants your prospects can actually relate to. Help merchants estimate the cost for a breach.

Discuss hard dollars such as card Association fines for noncompliance, forensic analysis and lawsuits. Also, share potential soft dollars such as time expended to address and correct problems, notification law requirements, loss of customer confidence, and loss of business.

Reiterate that 80% of compromised merchants are within the level 4 category. Now your prospects will be in the right frame of mind to be educated. At this point, you can introduce PCI standards and explain the upcoming rules.

Do not confuse the merchant by trying to delineate the multitude of levels or categories. Just explain the rules for their particular category. Describe the data elements that must be secured.

Based upon a prospect's interest, you can further educate. Also, share the different media that must be secured such as hard copies, online files and temporary storage.

Educate your prospects on the difference between validation and compliance. Make sure you emphasize that you are selling secure payment processing, not a security solution.

Close the deal with your prospects by likening the costs for compliance to insurance - a fee they are familiar with and pay regularly. Integrate your solutions to merchants' payment processing. Try it, and let me know your results. Hopefully, you won't be disappointed.

Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at or by phone at 707-269-3200.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios