Merchant Awareness of PCI: Success or Failure?

It's been nearly a decade now, so are small merchants aware of PCI? Yes, it's already been 10 years. Visa brought the Cardholder Information Security Program (CISP) to fruition in 2001, and in 2004 it evolved into the Payment Card Industry (PCI) Data Security Standard (DSS).

After several years of comprehensive efforts in the payment processing industry to inform and educate merchants, and the fact that payment card industry compliance is required, results and opinions are mixed. A recent study by the National Retail Federation provides information to make a case for both success and failure of the program and here they are:

Success

• 66% of small merchants are aware of the PCI DSS.

• The majority of merchants who are aware of PCI take it seriously. 74% of them have had a PCI compliance assessment.

• 94% of merchants care about keeping card information secure.

• 50% of merchants are aware of some consequences of a breach, such as getting sued by cardholders and losing the ability to accept Visa and MasterCard

Failure

• 34% still have a lack of awareness of PCI despite the immense industry efforts.

• 51% of all merchants still have not had a PCI compliance assessment.

• 64% are unaware of the dangers and don't believe their business is vulnerable to card data theft.

• 60% of merchants don't have a strong understanding of the costs, including fines by Visa/MasterCard, liability for use of stolen cards, and per-card fees for every canceled card.

So, has this all been a success or a failure? While my answer might be an open invitation to accusations of being a politician or fence-sitter, my answer is "Yes." As an industry, we've made great progress, and had a significant impact on the industry in a positive way, but we have a long way to go to get payment card industry compliance where it needs to be.

Let's not stop at that, let's offer a few explanations for why awareness and compliance are potentially lower than one might expect.

1. Quantities of new businesses

Many small business owners have a lengthy list of responsibilities and to-dos; it's not a huge surprise that these businesses are not familiar with PCI out of the gates. Exaggerating this impact is the fact that many new businesses open every year. According to Census data, 700,000 new businesses are "born" each year. This is reflected in the NRF study where 27% of merchants were less than three years old.

2. "Bad things only happen to other people" mentality

It can be human nature to assume the best and that "it won't happen to me." When dealing with the risk of a security breach involving cardholder data, many merchants appear to take that approach, rather than planning with Murphy's Law in mind.

3. Focus on fees rather than compliance

There is no reason to hide the fact that most processors and acquirers have fees for PCI programs. The fees have created controversy because they can seem high and are often not tied to compliance. As a result, perhaps PCI fees have become the main focus for many ISOs and merchants instead of PCI compliance itself.

ISOs are you fed up with high fees associated with your current payment partner's Payment Card Industry (PCI) compliance assessment program? Are they causing attrition in your portfolio? Do their fees make it difficult for you to sign new merchants? Clearent has a unique approach to PCI compliance:

No PCI Fees - That's right, there are no PCI fees for merchants who complete our questionnaire
Keep it Simple - Merchants save time thanks to our simplified PCI questionnaires
Know Your Status - Monitor your portfolio's status at-a-glance with our online reports

Contact Clearent for more information on payment processing solutions for ISOs and FIs.

PCI DSS Compliance and Adressing the Blame Game

We all know the "Blame Game." We were introduced to it as a child. It typically involves breaking, spilling, or loosing something that your mother didn't want you tinkering with in the first place. The game changes as we get older - our arguments get stronger but we still pass the blame.

Here are some classic responses we've either said - or heard - at one time or another:
• "(Name) did it."
• "It wouldn't have happened if (Name) did (Desired Action)."
• "It's not my fault."

As a result, today our society could be defined as a litigious one. People are quick to sue and claim that they shouldn't be held accountable and that it's someone else's fault that something bad happened.

Merchants are no different because of the pressures they face, especially with the varying changes in regulation and the economy over the past few years. There are all sorts of opportunities for errors and finger pointing.

One area that is very important is maintaining data security, PCI DSS compliance. Vulnerabilities can be created from careless actions, and vulnerabilities can result in a breach, as well as hefty fines, penalties and more.

When this happens, it's likely that the merchant is going to look outside of his business for someone to blame. And when he thinks he's found that someone, a lawsuit could be the next thing to follow.

To protect themselves and their merchant customers, most payment processors will insist on the completion of a PCI compliance assessment. The processor then reviews the assessment to identify merchants whose actions may put them at risk for a compromise. This helps keep the blame at bay but its not the best.

It's common for ISOs to want to provide the best possible service to their merchants and they may want to complete the self-assessment questionnaires (SAQs) on behalf of their merchant.

What happens if, for some reason, a merchant is then breached? If it is determined that the merchant was not PCI compliant and the questionnaire was not completed accurately, who will the merchant blame? It was the ISO who helped them complete their PCI compliance assessment, of course.

PCI DSS compliance and data security are very important, but processors shouldn't put ISOs in the middle of their approach. That isn't their job, and frankly, they shouldn't be expected to be a PCI compliance expert. Also, remember that why one of the best way to avoid this Blame Game is a self-assessment questionnaire, designed to be taken by merchants because they know the details of their operation best.

So what's the solution?

At Clearent, we use an online questionnaire, designed to be completed by the merchant to assist with PCI DSS compliance. We believe it shouldn't be part of the application process, but rather part of the support your payment processor provides to your merchants. And it shouldn't come with a cost to complete.

It's a simple approach, but one that any ISO today with the desire to grow should appreciate. That way if a breach should ever happen, you can easily say, "It wasn't me. I wasn't even involved." - and truly mean it. Otherwise, it may be prudent to have an attorney on retainer.