Digital Transactions Authoritative, insightful and timely information for payments professionals
Frankly, a Level 4 validation mandate by industry leaders in the payments space would only cement in place a practice that already exists, but is not enforced uniformly.
We’ve had the PCI DSS for years, yet breaches continue to put small merchants out of business. The cause is lagging compliance, says Doug Klotnia, who argues it doesn’t have to be that way.
Doug Klotnia is executive vice president for payment services and channel partners at Chicago-based Trustwave.
With the warmth of the holiday spirit upon us, it’s not exactly timely to think of those topics that scare us, and keep us awake at night. But for me, the topic of data breaches is one that is with me every day, every time of the year. The importance of industry self-regulation through the Payment Card Industry data-security standard (PCI DSS), and of adoption by even the smallest merchant, remains paramount.
The threats to the payments industry because of poor data-security practices do scare me. For something so critical to our livelihood, the lack of participation in PCI compliance is worrisome. Take small merchants in particular. Compliance among this small Level 4 group, comprising millions of merchants in the U.S. alone, is likely lower than 10%.
Something has to be done, and very soon. The payment card industry has been able to successfully self-regulate to head off theft and fraud. The PCI DSS has been the foundation for this self-regulation, and the industry, with cooperation from the card brands, acquirers, and processors, has worked hard upholding this standard and ensuring implementation and ongoing diligence.
As the standard matures, it’s time to toe the line. We have a very thoughtful, well-designed set of best practices for merchants to use to ensure they’re secure, and yet many industry participants still refuse to fully participate. It’s akin to having a fire extinguisher at the ready, but refusing to use it on an open flame.
Fear of Level 4
Certain new rules in the industry aren’t helping matters. Visa Inc.’s EMV chip card standard, for example, provides merchants a way to opt out of becoming PCI DSS compliant. Is this the right thing to do? As a creator of the standard, shouldn’t Visa be ensuring the same kind of compliance validation across all merchant types, especially given the value we know PCI DSS brings to merchants?
At the same time, there seems to be some fear in the industry of going too deeply into the mass of merchants that is the Level 4 population. Why? One could speculate that industry leaders in the payments space are concerned that, by imposing added regulation, they would enrage a population of merchants already frustrated with card-acceptance fees. After all, we’re operating in a climate that certainly isn’t receptive to additional industry mandates.
But should they be so concerned? Many small merchants are currently being mandated to achieve compliance and are being provided the tools for self-assessment and remediation through one of the many vendors in the payments space, often including a fee. Frankly, a Level 4 validation mandate by industry leaders in the payments space would only cement in place a practice that already exists, but is not enforced uniformly.
Surely, the outcome of a more consistently applied mandate would be better adoption of secure card-handling practices by Level 4 merchants, which could lead to fewer card compromises and an increased level of consumer confidence in the card-acceptance system. Wasn’t that the goal of creating the standard in the first place?
Does this mean a different questionnaire set for the smallest of the small merchants to self-assess more accurately? Possibly. Does it mean more ongoing compliance- monitoring tools that merchants can set and forget? Absolutely. While the standard is mature, when it comes to this unique group, we’re just getting started serving them properly with language they understand and steps they can take to secure their businesses.
Act—Or the Government Will
So what as an industry should we be charged with? Discussions at the Electronic Transactions Association’s recent Compliance Day conference centered on “locking arms” to work together. I couldn’t have said it better. The tenets for banding together, and what should drive all industry players–acquirers, processors, independent sales organizations, and the merchants we serve—are to educate, mandate, and measure.
When it was launched, PCI was a requirement for every merchant. But it seems many industry members still consider PCI DSS compliance optional. As we watch merchants go out of business every year from fraud through breaches of cardholder data, I can’t help but shake my head. PCI compliance should very simply be a way of doing business.
I’ll close with the concept of measurement because this is quite simply the elephant in the room. We can’t rate our success on what we don’t measure. This is where we must ask the card brands to step up and provide transparency on what the trends are with even the smallest merchants.
With a better understanding of what’s happening industrywide, we can work together to ensure these small merchants have the tools to accept cards securely for the long term. PCI is the backbone for this measurement, and the good news is, we’re already on our way to having good data to help change behaviors and provide risk-reduction tools to these merchants.
Let’s extinguish the threats to payments by simply using tools we have at our disposal: a strong prescriptive standard in the PCI DSS and available merchant tools that scale from the corner store to the multimillion-dollar enterprise.
What it takes is commitment to this process, and a recommitment from the industry players—the card brands, the PCI Security Standards Council, and the top 100 acquirers and processors–to continue upholding the letter of self-regulation, before the government gets involved and imposes rules we really cannot live by.
