A Bundled Approach to PCI Compliance for Small Merchants

As smaller merchants struggle with data-security requirements set by the bank card networks, some security firms are working on ways to simplify compliance. An example is Panoptic Security Inc., a Salt Lake City, Utah-based company that distributes its software through independent sales organizations and acquiring banks. It has started talking to point-of-sale terminal and software firms about integrating that software with their systems. The idea is to create an out-of-the-box product that would equip small merchants to comply with the networks' Payment Card Industry data-security standard (PCI). “We said, 'Bring your development teams, and let's whiteboard this out,'” Leslie M. Norris, executive vice president at Panoptic, tells Digital Transactions News. Norris says Panoptic began approaching POS companies at the Electronic Transactions Association's annual conference in Las Vegas this week and hopes to have its first meetings two weeks from now with two firms. Norris declines to identify the companies. Within six months, she says, the product should be in development. The goal, she says, is to help small merchants achieve compliance with a mandate that often mystifies them and leaves them frustrated. Norris estimates only about 10% of small businesses that Panoptic works with are PCI-compliant. With tight integration with POS hardware and software vendors, merchants would have a “PCI-compliance solution put at their fingertips,” Norris says. She adds that the product will also help ISOs, which can find themselves overwhelmed with the task of bringing their merchant clients into compliance. “This could really take a tremendous burden off their field agents,” she notes. Indeed, some ISOs have started charging merchants a fee for non-compliance to cover the risk of a potential breach. If Panoptic's new strategy succeeds, it would likely bring that revenue stream to an end, but Norris says most ISOs would gladly trade the revenue for security against the consequences of a breach, which can bring on network fines in addition to the costs of card reissuance and other expenses, “That's the position most people want to take,” she says. Panoptic's expert-system software automates the completion of the so-called self-assessment questionnaire that small businesses complete to meet the requirements of PCI. The software also identifies where businesses fall short and recommends steps they can take to fix the problems. This can be a critical stage for small merchants because many might find this so-called remediation daunting. Yet Norris says the steps they need to take are often not complicated or costly. Indeed, the top three remediation problems are lack of physical security, lack of a firewall, and lack of periodic scanning, Norris says. Not all industry experts are convinced that small merchants will jump at the chance to install the bundled product, however. Many such merchants process one transaction at a time on a dial-up connection, so they don't see much potential damage from a breach or much likelihood a hacker would bother with their systems, says John Shlonsky, chief executive of TransFirst LLC, a Hauppauge, N.Y.-based processor for mostly small businesses. “Level 4 merchants don't see the risk,” he says, referring to the smallest merchants as classified for PCI compliance purposes. Small merchants that do see some risk, he says, prefer to take out insurance policies that cover their losses in case of a breach.