Digital Transactions Authoritative, insightful and timely information for payments professionals
The 7-year-old Payment Card Industry data-security standard (PCI) is proving its effectiveness in preventing data breaches among small merchants, according to a survey of payments-industry acquirers set to be released next week.
The survey, cosponsored by ControlScan Inc., an Alpharetta, Ga.-based vendor of PCI-compliance solutions, and the Merchant Acquirers’ Committee, a trade group, found that, among acquirers who said 10% or fewer of their small merchants comply with PCI, 100% said at least one of their merchants had sustained a breach in the preceding year. At the other end of the spectrum, however, only 17% of those acquirers with a 61% or better compliance rate reported at least one merchant with a breach.
“Overall, [acquirers] feel their merchants see the value [of PCI] and acquirers see it reducing risk,” says Heather Foster, vice president of Controlscan.
But if merchants and acquirers are increasingly recognizing value in PCI, overall compliance among small merchants remains low. A separate survey of so-called Level 4 merchants sponsored last fall by ControlScan and Merchant Warehouse, a Boston-based independent sales organization, found just 53% were even aware of PCI. Of those, 57% had validated compliance, up from 47% in 2010.
For the acquirer survey, which was conducted in October and drew responses from 146 banks, processors, and ISOs, ControlScan and MAC asked questions related specifically to Level 4 merchants those acquirers serve. According to Visa Inc.’s definition, a Level 4 merchant is one that processes fewer than 20,000 e-commerce Visa transactions annually or up to 1 million brick-and-mortar Visa transactions a year.
“Respondents have favorable views of PCI compliance programs,” says the survey report, which the two sponsors will make available on Monday. Some 57% said their merchants see value in their PCI programs, while 70% said the programs cut risk. Not surprisingly, acquirers with high compliance rates reported the highest perceived value among their merchants. Nearly all (94%) of responding acquirers said they have a PCI program for Level 4 merchants.
Still, the survey found acquirers overall were doing little to educate small merchants about PCI beyond statement inserts. Both Foster and Susan Matt, chief executive of Atlanta-based ThoughtKey Inc., an Atlanta-based payments consulting firm and MAC member, argue this isn’t enough. “It requires more than a couple touch points,” says Foster. Acquirers should include PCI education in all presentations to merchants, both in person and online, Foster and Matt say.
Matt is also critical of acquirers that focus almost exclusively on newly boarded merchants, rather than rolling out PCI programs comprehensively to their portfolios. Some 18% of respondents start program rollouts with new merchants, according to the survey. This number has come down in recent years, Matt says, but remains significant. “I’m very surprised people are focusing only on their new merchants,” she says.
The survey also found that acquirers have established PCI as a source of revenue, with fees to participate in programs and for non-compliance. Some 88% charge so-called compliance fees, with the levies ranging between $50 and $100 a year. Among those charging fees for non-compliance, three-quarters report charges in the $11 to $25 range per month.
Matt says more acquirers are likely to start charging for non-compliance, but says they will shorten the period they assess the fees and then levy another penalty at the end of that period if the merchant still doesn’t comply. She says this change will result from fear of legal liability, as courts could interpret “non-compliance fee” to mean acquirers are also culpable in cases where non-compliant merchants are breached.
