GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

What will be in merchants' stockings this year - caviar or coal?


Industry Update

Farewell PABP, hello PA DSS

Visa, AmEx settlement no biggie for merchants

More public steps for bankcard heavyweights

Optimal socked by Internet gambling regs

Go international in real-time

It sings, it instructs, it's a gift card

Mobile checkout moving up


Data breaches pique interest

Travis K. Kircher

Growing on the 'Inside'


Art imitates life or does life imitate art?

Patti Murphy
The Takoma Group

Stay ahead with a checklist

Biff Matthews
CardWare International


Street SmartsSM:
We're all in the PCI loop, like it or not

Dee Karawadra
Impact PaySystem

What to watch in the coming months

Rob Drozdowski
Electronic Transactions Association

Using e-mail effectively: Copy and design

Nancy Drexler
Marketing Moguls

Security breaches costly to all

David Mertz
Compliance Security Partners LLC

Turning negatives into positives

Steve Schwimmer
Renaissance Merchant Services

Opportunity knocks at your online door

Curt Hensley
CSH Consulting Inc.

Liability limbo: Where will you land?

Adam Atlas
Attorney at Law

Company Profile

FirstView Financial LLC


New Products

A cherry of a keyboard

Cherry LPOS Qwerty Keyboard
Cherry Corp.

Sign on the dotted line - online

ContractPal Inc.


Holiday survival guide





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 26, 2007  •  Issue 07:11:02

previous next

Street SmartsSM

We're all in the PCI loop, like it or not

By Dee Karawadra

I must admit, like many ISOs in our industry, I figured the Payment Card Industry (PCI) Data Security Standard (DSS) didn't affect me. I thought as long as my processors and larger merchants do what they need to do to be PCI compliant, my smaller and mid-size merchants and I should be fine, right? Wrong.

The PCI DSS, often called PCI, is of great importance to our industry. And members of the GS Online MLS Forum were very responsive when I asked for their thoughts about it.

Michael Nardy stated, "The long-held way of dealing with things by sticking your head in the sand and saying, 'Oh, no ... not me ... doesn't apply here. I'm sure we'll just be notified when we need to do something,' is definitely the wrong way to handle PCI compliance. Merchants and ISOs alike should all be very proactive in this arena."

Practices, applications under scrutiny

The PCI DSS was created by Visa Inc., MasterCard Worldwide, American Express Co. and Discover Financial Services to standardize and improve data security practices throughout the industry.

The PCI Security Standards Council, which manages the PCI DSS, now also manages the Payment Application Best Practices (PABP) and has renamed it the Payment Application Data Security Standard (PA DSS).

Ken Musante, President of Humboldt Merchant Services, did a highly informative presentation about PCI at the Western States Acquirers Association meeting in October.

In response to my MLS Forum thread, Musante stated, "PCI is for real, and it is impacting merchants of all sizes. Certainly with all the acronyms, it can be very confusing for merchants. That's where we can all play a role, however.

"Visa has recently introduced a new set of compliance dates. On Jan. 1, 2008, acquirers can no longer purchase non-PABP terminals for merchant placement or board merchants with payment applications with known vulnerabilities."

Musante also explained why the card Associations are paying closer attention to small merchants now.

"Small retail merchants are getting breached," he noted. "Larger merchants and Internet merchants are (ever so slowly) putting in place the resources to stave off breaches. Evildoers are gravitating to smaller and less sophisticated merchants."

Education to the fore

As ISO owners and merchant level salespeople (MLSs), we need to be asking our equipment vendors if the terminals we deploy are PA DSS compliant. We should be concerned; this mandate of compliance could be very costly.

Most small merchants with terminals are fairly safe. "For the average retail merchant that most ISOs service, there will be little or no changes [due to PA DSS]," Mike Maxxon stated on the MLS Forum. "In reality, a majority of machines that have been sold in the last 10 years are in full compliance, although some procedures need adjustments." The majority of breaches are more likely to happen to small merchants; you just rarely hear about them. Here are some areas to watch closely:

Educating yourself is very important. For the feet on the street, there are many places to learn about PCI. Industry shows make a point of including PCI as one of their many education panel topics.

Once you have basic knowledge, you can start passing that on to merchants. As Musante said, that is where we come in. "We can explain that 80% of all breaches (by number of breaches) are occurring at level 4 (smaller) merchants," he noted.

Livelihoods on the line

One of my biggest frustrations with this industry is the dishonesty. When an ISO, MLS, or processor rips

off merchants, we all suffer. Most of us can remember the Y2K and smart card scares used to sell new terminals and additional services to merchants who didn't need them.

This is happening again with PCI. One ISO is charging all his merchants a $250 per merchant PCI compliance fee, and the ISO is not sharing this with MLSs. With 5,000 merchants, for instance, that comes to $ 1.25 million - a lot of money to make based on people's emotions.

MLS Forum member Clearent said it best. "I have seen a number of companies charging merchants either monthly fees, or flat annual fees for PCI compliance costs," he said. "To me, this is just another example of an attempt to collect a fee - any fee.

"Yes, there is a cost, but it certainly isn't as large a cost as what is being passed on to the merchant. In doing these fees, the ISO is just leveraging a fear for a monetary opportunity.

"PCI is real - no doubt. However, if your processor is PCI compliant, and insures they remain so - the merchant is the next level of importance. Larger merchants already understand, ask TJ Maxx.

"As it trickles to the smaller merchants, I think they too will ensure compliance. However, it's up to us to ensure we don't leverage a fear like this."

I have heard too many stories about bogus PCI fees -from monthly to annual charges. It makes me uncomfortable. PCI compliance issues will be with us for the foreseeable future.

Prepare your customers so they can avoid data breaches, and don't let them be lured away by unscrupulous competitors.

Safari Njema. Safe journey.

Dee Karawadra is the founder, Chief Executive Officer and President of Impact PaySystem, based in Memphis, Tenn. He and his team have a wealth of knowledge on the merchant services industry, with a niche in the petroleum market. Dee's experience on the street as an agent has guided him in laying a foundation for an agent program that is both straightforward and lucrative for his agents. Contact him at 877-251-0778 or

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios