n a recent American Banker article, Visa U.S.A. Chief Executive Officer John Philip Coghlan predicted that by the end of this year, more than 60% of the merchants accepting Visa bankcards will have adopted the Payment Card Industry (PCI) Data Security Standard.

I risk spoiling my brand neutrality, but if 60% of Visa's merchants are PCI compliant by year's end, I'll get a Visa tattoo, imbed a radio frequency identification device in the back of my right hand and become the first human payment product. "Talk to the hand" will become my preferred payment parlance. Fun as this seems, I feel secure that by year's end I will remain ink and chip free: I doubt that 60% of merchants will even know what PCI stands for by that time.

The challenge of PCI compliance

Coghlan asserted that data security is the greatest challenge facing our industry. I agree. Achieving compliance is a daunting and complex task. The rules regarding third parties are still being modified while merchants continue to provide data to third parties, i.e., reward, hosting and gateway companies; integrated point of sale (IPOS) vendors; and ISOs.

Merchants furnish data because they need the services third parties provide. For example, not every merchant is ready or sophisticated enough to develop an Internet payment gateway. Thus, well-run PCI-compliant gateways have found a niche. It's clear that requiring Internet payment gateways to certify their security methods is a good thing. Unfortunately, our industry's various sectors may not be acting in lock step. Hosting companies, for instance, can expose, transmit or store the same type of data as payment gateways. Yet, few hosting businesses are on the list of PCI-compliant companies.

Not all constituents have recognized the criticality of third parties within the payments industry, nor have merchants fully understood the potential risks involved. Often, when implementing new terminals or IPOS systems, merchants either don't properly set up security protocol or don't recognize their responsibility for the sensitive data they process. Also, merchants are migrating to Voice over IP (VoIP) because of our industry's persuasive sales culture and the additional speed and functionality VoIP offers. The danger is that some VoIP lines are transmitting clear text, and some merchants haven't established a secure protocol for transmitting this data.

Levelheaded rules

Visa's and MasterCard International's rules clearly delineate what merchants in Levels 1, 2 and 3 must do to be PCI compliant. And for the most part, acquirers recognize the pressing need to require compliance from these merchants. Levels 1, 2 and 3 include the following merchant types:

Level 1

• Any merchant (regardless of acceptance channel) processing more than 6 million Visa or MasterCard transactions per year
• Any merchant who has suffered a hack or an attack that resulted in an account data compromise
• Any merchant Visa or MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system Any merchant identified by any other payment card brand as Level 1

Level 2

• Any merchant processing 150,000 to 6 million Visa or MasterCard e-commerce transactions per year

Level 3

• Any merchant processing 20,000 to 150,000 Visa or MasterCard e-commerce transactions per year.

The overlooked Level 4

Unfortunately, attaining PCI compliance requires more than the first three merchant levels. There is also Level 4, which includes Internet merchants processing less than 20,000 Visa or MasterCard transactions per year and any other merchant type processing up to 6 million transactions per year.

I emphasize Level 4 because, by number of merchants, this is by far the largest category. Indeed, nearly all restaurants and retail establishments using terminals or IPOS systems fall into this category. And Level 4 merchants are not being addressed with the same urgency as the other levels.

Neither Visa nor MasterCard has a date by which compliance for Level 4 merchants must be validated, but compliance is required nonetheless.

IPOS vulnerability

Additionally, several IPOS systems can inappropriately store magnetic-stripe data, often due to merchant misuse or ignorance. Many IPOS systems connect to a processor via high-speed Internet connections, leaving them vulnerable to hackers.

And many hackers specifically seek IPOS systems because of the large quantity of card numbers available and because of the potential to obtain magnetic stripe data. Our industry is most exposed within the Level 4 merchant category. In this group, many unidentified third parties are storing, processing or touching transactions; merchants are inappropriately handling or storing data; and merchants are not being aggressively educated.

I urge Visa and MasterCard to focus their efforts on this cross section of merchants, and I encourage all acquirers to register all known third parties that represent this merchant group. And I hope everyone in the industry seriously addresses this demographic. The PCI requirements for Level 4 merchants are to pass a self-assessment questionnaire and to pass a quarterly network scan from a qualified independent vendor.

Enterprise-wide PCI compliance

Finally and most importantly, I suggest that Visa and MasterCard move away from specific merchant compliance and toward an acquirer-based, enterprise-wide PCI program. This program should reward acquirers that have implemented PCI security across their businesses and alleviate punishment for isolated incidents.

Unfortunately, given the number of Level 4 merchants and the existing requirements, I cannot imagine how these merchants will become PCI compliant.

I instead encourage the rules to be amended. Following are some proposals for further consideration:

• Require merchants with dial-up, stand-alone terminals and no other connectivity or card number storage capacity to verify accordingly with an attestation statement. Then exempt them from further compliance-related activity.
• Impose a due date for compliance on merchants processing more than 20,000 transactions yearly, regardless of processing method.
• Provide an Association certification for all acquirers engaged in enterprise-wide cardholder security programs. Advertise these acquirers' compliance and significance.

Although foretelling events in our industry is dicey, I can see the headlines should Mr. Coghlan's prediction hold true, and I am bound by my word to proceed with my implant.

Ken Musante is President of Humboldt Merchant Services. E-mail him at kmusante@hbms.com