Security Issues Weigh Most Heavily with Acquirers, Research Says

Security issues weigh more heavily on the minds of executives with merchant acquirers and independent sales organizations than they do among any other payment card industry sector, according to new research from Aite Group LLC. Some 43% of acquiring executives rated data security, including compliance with the Payment Card Industry data-security standard, or PCI, as the “top challenge” of their sector, tied with the 43% who cited “business issues,” a catch-all phrase for pricing and other sector-specific matters. Fourteen percent cited technology as their most pressing matter. The report's findings are insightful, even though they come from only a very small base of respondents: 23 industry executives who attended the Electronic Transactions Association's Annual Meeting and Expo or SourceMedia Inc.'s Card Forum, both in April. Besides acquiring/ISO executives, researchers from Boston-based Aite interviewed executives from credit card issuers, debit card issuers, card issuers' processors, the payment card networks, and point-of-sale terminal vendors. Among the whole group, 30% cited security and PCI as their top challenge. An equal number cited regulation, while 34% said business issues and 4% said technology. It's little wonder that acquiring-side executives fret the most about security: as the breaches at processors Heartland Payment Systems Inc. and RBS WorldPay Inc. along with several earlier breaches at mid-sized or large retailers show, acquirers and their merchants can be on the hook for monetary and reputation damage in security lapses. The report says the card networks, which enforce PCI primarily through their acquirers, “need to make fixing data-security issues their top priority.” There's another reason security is on the minds of acquiring/ISO executives, but it's not fear, according to Aite analyst Adil Moussa. An increasing number of acquirers see security as a source of fee income, he says. Acquirers are now charging fees for PCI assessments and for being out of PCI compliance. “[Security] is a moneymaker for them, whether they want to admit it or not,” he tells Digital Transactions News. Without naming the company, Moussa cited charges an acquirer sent to a small merchant that listed a $27 fee for each month of non-PCI compliance. Interchange, the subject of heated debate within the payments industry and now of pending legislation in Congress, also is on the minds of acquirers as well as issuers. Because of revenue pressures on the issuing side, 35% of respondents expect interchange to increase in 2010 and 43% predict it will increase in 2011. Twenty-six percent and 17% believe interchange will decrease in 2010 and 2011, respectively. Asked about which technology is likely to have the biggest impact on the card industry as a whole in the foreseeable future, a heavy majority, 68%, cited mobile and radio-frequency identification (RFID) technology, the latter of which enables contactless payments. Data encryption and fraud-detection technology was the second highest, at 14%.