PCI’s POS Costs Slow Retailer Adoption, Terminal Exec Says

Reluctance by merchants and independent sales organizations to assume the added costs of compliant terminals is contributing to the apparently slow rate at which retailers are adopting the Payment Card Industry data-security standard, an executive with a major terminal maker says. According to recent data from Visa USA, one of the sponsors of PCI, only 17% of 231 large merchants have complied with the standard, while three-quarters are working on compliance and 8% have submitted no report on the matter (Digital Transactions News, March 8). Data on smaller merchants haven't been available. The standard requires, among other things, that merchants and processors encrypt card data and protect data bases with firewalls and other anti-intrusion measures. Many merchants and ISOs have raised concerns about the complexity of the standard, and others have simply remained unaware of it. But Neil Hudd, senior vice president for global product development and marketing at Hypercom Corp., Phoenix, Ariz., says reluctance to ditch installed devices that appear to be in working order, not to mention pay more for PCI-compliant point-of-sale technology to replace those terminals, lies behind some of the slowness by merchants to adopt the standard. “What you're getting from them is, we don't want this new [PCI-certified] equipment,” Hudd says. Engineering terminals to PCI spec, Hudd says, is a problem for manufacturers like Hypercom, not for retailers and the ISOs that sell, lease, and?increasingly?give terminals to them. But it adds anywhere from $5 to $10 to the terminal's final price tag, he estimates. At the same time, he says, many ISOs prefer to sell older equipment that is already in inventory and on which they can get higher margins. “It's not complex for [ISOs and merchants],” he says. “It's complex for us. The costs of certifying are horrendous. It's a cost to us, and we have to pass that cost on.” As an example, he says Hypercom has designed chip sets that are tamper-proof and resistant to hackers trying to “sniff” out data such as PINs as they flow through the device. As a result, he says, with new devices “what comes out of the terminal is generally secure.” Indeed, the lengths to which the terminal makers go to make PCI-compliant devices has raised the cost of entry for new competitors, Hudd says. “The barrier to entry for any new manufacturer is certification,” he says. “From a purely selfish point of view it protects us from new entrants coming in.” PCI was established more than a year ago by Visa, MasterCard International, Discover Financial Services LLC, American Express Co., and other card networks to harmonize the networks' various data-security rules into a single set of specifications aimed at protecting card data from unauthorized access and use.