The Green Sheet Online Edition
January 14, 2008 • Issue 08:01:01
PCI compliance: Don't forget the little guys
We have all heard and read about the national breaches such as the 40 million cards compromised from CardSystems Solutions Inc. or the nearly 100 million cards compromised at TJX Companies Inc.
Most industry veterans understand that to serve merchants as a third party and handle cardholder data, they must be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS).
Becoming PCI compliant can be complicated, difficult and expensive. For the past few years, the industry has been pushed - practically shoved - to get in compliance, or face potential fines.
So much focus has been on larger merchants that it has crowded out the applicability to the majority of merchants.
Level by number
By far, the greatest number of merchants reside in the card Associations' level 4 category.
By definition, level 4 merchants are those who process fewer than 20,000 Visa Inc. or MasterCard Worldwide e-commerce transactions per year and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year. (For more information, see "Shape up those level 4 merchants - now," by Ken Musante, The Green Sheet, June 25, 2007, issue 07:06:02.)
These merchants receive the least attention from the card Associations because they touch a much smaller number of cards. Breaches occur every day at level 4. In fact, TrustWave reported 62% of breaches occur at small to mid-sized merchant businesses.
Additionally, like many seen on a national level, breaches from smaller merchants are occurring at storefronts that have more valuable magnetic stripe data available.
A 2006 Merchant Link survey found 60% of bars, restaurants and lodges were not aware of the PCI DSS.
Rules run wild If that was the case in 2006, the flurry of additional rules has done little to clarify things for small retailers and service establishments.
The PCI Security Standards Council took the reigns of Visa's Payment Application Best Practices in November, renaming it the Payment Application Data Security Standard (PA DSS). (For more information, see "Farewell PABP, hello PA DSS," The Green Sheet, Nov. 26, 2007, issue 07:11:02.)
The new rules are meant to ensure merchants only use hardware and software that satisfies the PA DSS. The new requirements consist of the following:
- Effective Jan. 1, 2008, newly boarded merchants must not use known vulnerable payment applications.
- VisaNet Processors (VNPs) and agents must only certify new payment applications to their platforms that are PA DSS compliant by July 1, 2008.
- Newly boarded level 3 and level 4 merchants must be PA DSS compliant prior to being approved.
- VNPs and agents must decertify all vulnerable payment applications. Acquirers must ensure their merchants, VNPs and agents use only PABP-compliant applications.
This information may be confusing to merchants, but you can use that uncertainty to better sell merchant services.
After all, you are not selling data security solutions; you are selling secure payment processing. Because of the complexity of both the PCI DSS and available information pertaining to it, selling secure payment processing is different than selling other services.
Specifically, when selling secure payment processing one must motivate, introduce, educate and close.
Merchant prospects may not even realize they have potential issues. Consequently, prospects must first be motivated to even listen to your pitch.
To do this, carry national stories to draw attention. To personalize the sales presentation, bring examples of
Almost every community has some articles on a local breach you can easily research for your presentation. These local examples will provide greater motivation, as they involve merchants your prospects can actually relate to. Help merchants estimate the cost for a breach.
Discuss hard dollars such as card Association fines for noncompliance, forensic analysis and lawsuits. Also, share potential soft dollars such as time expended to address and correct problems, notification law requirements, loss of customer confidence, and loss of business.
Reiterate that 80% of compromised merchants are within the level 4 category. Now your prospects will be in the right frame of mind to be educated. At this point, you can introduce PCI standards and explain the upcoming rules.
Do not confuse the merchant by trying to delineate the multitude of levels or categories. Just explain the rules for their particular category. Describe the data elements that must be secured.
Based upon a prospect's interest, you can further educate. Also, share the different media that must be secured such as hard copies, online files and temporary storage.
Educate your prospects on the difference between validation and compliance. Make sure you emphasize that you are selling secure payment processing, not a security solution.
Close the deal with your prospects by likening the costs for compliance to insurance - a fee they are familiar with and pay regularly. Integrate your solutions to merchants' payment processing. Try it, and let me know your results. Hopefully, you won't be disappointed.
Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at email@example.com or by phone at 707-269-3200.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.