If there’s a weak link in the chain of card-data security, it’s small merchants. Many of them represent easy targets for hackers and other data thieves. Worse, the businesses themselves don’t see themselves as vulnerable, and far too many remain unaware of security protocols like the Payment Card Industry data-security standard (PCI).
Indeed, according to a survey released last month, there has been some backsliding on security among the nation’s smallest retailers.
A little more than half (54%) of surveyed merchants say they are aware of PCI, the 7-year-old set of data-security rules required of all merchants. That percentage has not budged in the year since the previous survey was done, according to ControlScan Inc., an Alpharetta, Ga.-based vendor of PCI-compliance solutions, and Merchant Warehouse, a Boston-based independent sales organization, which jointly sponsor the research.
Their latest release is the fourth annual report they have done on PCI compliance among so-called Level 4 merchants, or those doing fewer than 20,000 Visa e-commerce transactions annually or up to 1 million brick-and-mortar Visa transactions per year.
Nor is the picture any brighter among those merchants that say they are aware of PCI. Here, a lesser proportion of small merchants has validated PCI compliance (50%, down 7 points from last year), fewer rank data security as a high priority (77%, down 6 points), fewer can produce the documentation they need to support the compliance reports, or self-assessment questionnaires (SAQs), they file (39%, down from 47%), and just 48% are investing in PCI compliance, down 3 points.
The disappointing results carry added significance because the country’s 5 million Level 4 merchants, while small in size, account for a significant share of card-based transactions. They are also far more vulnerable to a data compromise than larger merchants, though they don’t see it that way.
Some 79% reported “little to no chance” a breach could happen at their stores, according to the survey. Yet, 97% of all reported U.S. compromises in 2011 occurred at small merchants, according to Visa Inc. Restaurants and franchise operations are particularly vulnerable to hackers.
While compliance among small merchants has long been a concern, the apparent backsliding uncovered by this year’s survey is particularly alarming. “I was disappointed we didn’t see progress,” says Heather Foster, vice president of marketing at ControlScan. “I’m definitely disappointed about awareness.” Adds Steven Tatem, IT director at Merchant Warehouse: “A lot of work still needs to be done on the education and awareness side.”
Both point out that compliance is relatively inexpensive for small merchants, and especially so when compared to the costs of a breach. But the abstruse language of the standard, together with merchants’ lowball calculation of their risk, conspire to make many owners put PCI on the shelf. “The security vs. convenience factor is always going to be part of the equation,” notes Tatem. “It’s too much of a hassle, I’ll just put my head in the sand.”
Tatem advises ISOs and other acquirers to make PCI compliance part of the sales presentation to any merchant at the earliest opportunity. “That initial sales pitch should touch on this,” he says. “If I want to sell someone a bike, I want to make sure they have a helmet, too.”
One bright spot in this year’s survey is the performance of Web merchants, which turn out to be far more aware of, and active in compliance with, PCI than are their brick-and-mortar cousins. For example, some 70% of e-commerce sellers understand the standard is compulsory, vs. just 52% of physical merchants. The same proportion of e-commerce merchants are completing compliance validation, compared to only 45% of brick-and-mortar retailers.
The two companies conducted the survey in August, gathering responses from 603 merchants. Nearly half of the respondents reported annual transaction volume under $100,000, and 44% were brick-and-mortar establishments, with 16% falling into the e-commerce category and 40% being hybrids or mail-order/phone-order merchants.
Retailers Aren’t the Only Settlement Foes
Before Judge John Gleeson gave preliminary approval on Nov. 9 to the proposed credit card interchange settlement, objections to the deal flowed in fast and furious to U.S. District Court in Brooklyn, N.Y. Included among these were dissents from some seemingly unlikely parties that weren’t directly involved in the massive antitrust case that pitted merchants and merchant trade groups against Visa Inc., MasterCard Inc., and a handful of big banks.
One of those outsiders was First Data Corp., the nation’s largest merchant processor. Atlanta-based First Data said “it was thrust into this case by virtue of an overly broad class definition, a … settlement that does not afford it opt-out rights, and a release that could forever bar it from questioning hundreds upon hundreds of [network] rules and regulations that affect more than half of its multibillion dollar a year business.”
While First Data and its affiliates service 6.2 million merchant locations worldwide, the company itself functions as a minor card-accepting merchant by virtue of taking credit cards in its cafeterias, in mailrooms for employee shipments, and at its charitable foundation. Those functions are enough under the definition of a merchant in the settlement for the company to be bound by its terms affecting class plaintiffs, according to First Data.
“Because the class definition is so broad, companies like FDC are roped into a settlement that provides them nothing and forces them to release claims [against the networks] that they may have without affording them due process,” the company’s filing says.
First Data, which described itself as a competitor of the card networks, also recounted seven lawsuits going back to the 1980s that challenged them over interchange and rules. The processor argued that Visa and MasterCard shouldn’t be given the blanket protection against future antitrust challenges called for by the settlement.
“The sheer number of these disputes helps to highlight the complex nature of the industry which has been involved in numerous antitrust actions in the past,” the filing says. “Visa and MasterCard should not be able to ‘buy a license to monopolize’ at a ‘fire sale’ price by paying a one-time settlement to prevent all future lawsuits and why the court must take care not to approve a settlement that would serve to decrease competition in the industry.”
Senior Visa and MasterCard executives expressed support for the settlement in recent conference calls with analysts.
Two retail ATM trade groups also asked Gleeson to withhold preliminary approval until the settlement’s language is revised to assure that ATM deployers are not bound by its terms.
What these parties, as well as disappointed merchants, will do now remains to be seen. But Gleeson noted earlier that the threshold for preliminary approval is lower than that for final approval, which observers don’t expect until well into 2013 after more courtroom maneuvering by both sides.
Under the settlement, the defendants would pay class merchants $6.05 billion and give them some relief from certain network rules, including surcharge restrictions. Visa and MasterCard also are to provide $1.2 billion in temporarily lowered credit card interchange rates. In return, the merchants agree not to sue Visa and MasterCard in the future over interchange and network rules.
Individual merchant plaintiffs, including Kroger, Supervalu, Rite-Aid, and Meijer, filed a motion in early November to dismiss their claims against Visa and MasterCard because they had settled with the networks. The settlement announced July 13 included about $550 million for individual plaintiffs.
Look Who’s Joining the Wallet Revolution
As it turns out, digital wallets aren’t just a creature of the big banks.
At the time of Visa Inc.’s commercial launch last month of its V.me digital wallet, the world’s largest payments network said some 53 financial institutions had signed on to offer the product to customers. Among these institutions are several dozen credit unions and community banks looking to have new wallet tech available as the holiday shopping season loomed.
Up to now, such technology has been the preserve of some of the nation’s largest financial institutions, including money-center banks with the resources to develop and support the product for potentially millions of customers.
For example, the Isis mobile wallet, which comes from a consortium put together by wireless carriers AT&T Mobility, T-Mobile USA, and Verizon Wireless, claims heavyweights American Express Co., Capital One Financial Corp., and JPMorgan Chase & Co. as participating institutions.
Now the small guys want in the game. “We’re looking at all the things out there in terms of mobile wallet,” says John Schulte, senior vice president and chief information officer with Mercantile Bank of Michigan, one of the small banks supporting V.me. “That may be Google Wallet, V.me, or [Apple Inc.’s] Passbook. We’re going to place multiple bets.” With $1.4 billion in assets, Mercantile serves the Grand Rapids, Holland, and Lansing markets.
Service organizations for credit unions and small banks also have signed on to offer V.me, including Independent Community Bankers of America and The Members Group, which provides processing for both credit unions and community banks.
For now, V.me is restricted to e-commerce transactions, unlike Isis and Google Wallet, for example, which work at the point of sale. V.me allows users to store any payment card from any brand and use the credentials to make payments at participating merchants.
Early merchants for the service, which had been in beta testing for about a year, include Bidz.com, Buy.com, Cooking.com, Modnique, and PacSun. At the launch, Visa said 23 online merchants were accepting V.me, including Blue Nile and Shoebuy.com. Sign-ups at the merchant sites take place during checkout and allow users to load their cards without leaving the site. Once enrolled, consumers can use the wallet to make payments at any of the accepting sites.
Schulte says the convenience of storing all payment media in one digital place, along with loyalty points and other rewards, appeals to consumers his bank has talked to. “Customer awareness [of digital wallets] is actually pretty low, but when presented with a vision of the possibilities, that really excites them,” he says.
Marketing hasn’t started yet, Schulte says, but will include pages on the bank’s Web and mobile sites and social-media campaigns. “It’s really about selling the future right now,” he notes. “We’re excited.”
Still, Mercantile isn’t placing all of its digital eggs in the Visa basket. Schulte says the bank is open to cooperating with a wide range of wallet providers, including non-banks like Google. Mercantile began working with another non-bank player, PayPal Inc., three years ago to offer person-to-person payments. “A lot of banks will see Google and PayPal as the enemy,” he says. “I scratch my head [at that]. It’s a mentality of curling up in a ball and ignoring what’s going on, or worse, blocking your customers. It’s not an effective strategy.”
For now, the price is right for Mercantile. “As a launch partner, there was really no cost” to offer V.me, Schulte says.