Digital Transactions Authoritative, insightful and timely information for payments professionals
In sharp contrast to only a year ago, independent sales organizations and other merchant acquirers now rank revenue generation as their number-one goal for programs they offer to help merchants comply with the Payment Card Industry data-security standard (PCI), according to a survey set to be released on Thursday.
The new emphasis on revenue represents a total reversal from the results of a similar survey released last January. In that study, acquirers rated “reducing risk from breaches” as their top priority with PCI programs, with potential revenue from PCI fees coming in fourth. This year, respondents ranked revenue first, with risk reduction relegated to fourth place.
Satisfying card-brand mandates and reaching higher compliance rates came in second and third, respectively, unchanged from a year ago. Both surveys were sponsored by ControlScan Inc., an Atlanta-based security-solutions firm, and the Merchant Acquirers’ Committee, a trade group focused on risk management.
The sudden, 180-degree change in priority for revenue “definitely surprised all of us,” says Heather Foster, vice president of marketing at ControlScan, which with the MAC surveyed 123 banks, processors, and ISOs. Completed in October, the study focused on compliance programs for so-called Level 4 merchants. These are small merchants processing fewer than 20,000 card transactions online or fewer than 1 million card-present transactions each year.
Susan Matt, chief financial officer for MAC and chief executive of ThoughtKey Inc., a payments consultancy, says she, too, was surprised by the result but attributes it to acquirers’ intensifying search for new revenue to offset higher costs and price compression. “You’re seeing a lot more competition down at the small ISO level, where before it hadn’t hit them yet,” she says.”They’re saying, ‘We’re seeing deterioration in revenue.’”
She concedes that ongoing industry consolidation should ultimately lead to firmer pricing. “With fewer market players, you’d expect to see less competition and pricing compression more lax, but we’re not seeing that yet,” she notes. “That’s a trickle-down effect.”
The dramatically higher priority for revenue is showing up in the fees acquirers charge merchants for PCI-compliance programs. Some 59% of respondents say they charge $71 or more per year for this service, up from 50% last year. The sweet spot appears to be in the $71-$100 range, where 43% of respondents fell. Only 11% say their programs are free. Nor are program fees causing acquirers to lose business. Some 49% say they have lost less than 1% of their merchants each month because of such fees, up from 37% last year. Only 20% say they have lost 1% or more. A cautionary note, however, lies in the fact that fully 30% of acquirers don’t track this statistic.
At the same time, acquirers are cracking the whip on non-compliance—and charging more for it. Eighteen percent now charge at least $26 per month for non-compliance, three times the level from last year. A solid two-thirds charge between $11 and $25.
Non-compliance fees also serve more and more as a tool to drive merchants into compliance programs. The use of discounts to encourage participation in such programs stands at 15%, a 7-point drop from last year. And these fees are coming sooner. Only 9% now say they wait at least six months before imposing the fee, down from 22% last year. The majority—60%–hit recalcitrant merchants within two to three months.
Among acquirers who responded to the survey, 23% were banks, 49% ISOs, and 24% processors, while the remainder were agents or other entities. Some two-thirds held Level 4 portfolios of at least 1,000 accounts.
