By Ken Musante
Napa Payments and Consulting
Merchants hate PCI compliance portals more than they do the associated non-compliance fee. That's why so many pay the fee each month. For most, this is an unfair burden because the need is waning and the process to comply is circuitous. Indeed, Visa and Mastercard recognized EMV cards aren't subject to counterfeiting and have longstanding PCI validation exemption programs. Why aren't we making it easier for merchants?
A merchant must navigate two sets of questions to properly comply with a PCI certification and attestation. The first set defines the environment and the specific questionnaire they must complete. Ecommerce merchants, for example, have a different environment than POS merchants. There are nine different Self-Assessment Questionnaires (SAQs). Security Metrics does a great job detailing them here: https://bit.ly/3sQbx8C.
Once the environment is defined merchants must answer questions related to their specific environment. However, the questions used to define the environment and the SAQ questions are too technical for most merchants. Defining the environment, for a merchant not familiar with our industry jargon, is difficult. The SAQ, too, is jargon-packed. Even if a merchant successfully completes the SAQ, that doesn't ensure they will remain compliant.
As an industry, we compound the issue by charging PCI fees. Often a merchant will be charged a monthly or annual PCI fee, typically $8 per month—plus, if they don't complete the SAQ, a PCI non-compliance fee of $35 to $55 monthly.
While there is risk for an acquirer, if a merchant doesn't valid PCI compliance, these fees are an enormous profit center, especially the non-compliance fee, as there is not a marginal expense associated with adding a merchant, regardless of their compliance status.
Many payfacs have exploited this frustration and provided solutions where merchants must neither complete the SAQs nor pay PCI fees. Payfacs aren't exempt from ensuring their sub-merchants are compliant. Payfacs face the same risk and fine structure as traditional acquirers, but payfacs provide a solution that enables them to better manage access to card data and more uniformly ensure data is secure. Square's site, squareup/us/en, for example, states:
"Since Square itself is PCI compliant, we don't require account holders to validate PCI compliance. Merchants who use Square for all storage, processing, and transmission of payment card data do not need to validate PCI compliance for those transactions."
Square reserves the right to hold its sub-merchants responsible for fees in the event of a breach; however, because Square is the merchant of record, Square doesn't require attestations from each of its sub-merchants. Instead, it provides a solution that meets PCI requirements as long as the solution is used in accordance with specifications.
The need for the Payment Card Industry Data Security Standard (PCI DSS) came about because of voluminous hacks and subsequent counterfeit fraud. With EMV migration, the need for card-present merchants to validate PCI compliance has diminished. EMV cards are difficult to counterfeit; even if a card-present solution were compromised, the breach wouldn't result in a loss.
Consequently, as mag stripe use diminishes, the need for PCI validation wanes. The card networks have long known this. As early as 2017, Mastercard and Visa instituted programs to exempt card-present merchants from PCI validation so long as at least 75 percent of their transactions were processed through an EMV-compliant device. Now, all four major card brands (AmEx, Discover, Mastercard and Visa) have exemption programs for card-present merchants.
These programs are little used and not widely known. Perhaps the monthly and annual fees charged dissuade acquirers from adopting them. This is short sighted, as it provides merchants one more reason to migrate to a payfac.
Acquirers would be wise to consider a blanket policy of exempting all their card-present merchants utilizing EMV-compliant devices. This would provide substantial uplift in merchant satisfaction and tremendous marketing potential. It could differentiate an acquirer's program and reduce fees during an inflationary cycle. The ensuing revenue hit would be offset by a decrease in attrition and an increase in new accounts. 
As founder of Humboldt Merchant Services, co-founder of Eureka Payments, former executive at WePay, and founder of Napa Payments and Consulting, Ken Musante has experience in all aspects of successful ISO building. Contact him at kenm@napapaymentsandconsulting.com, 707-7656 or www.linkedin.com/in/ken-musante-us/.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
