Charging fees for security-related services or noncompliance with the Payment Card Industry Security Standards Council's data security standards can motivate reluctant merchants to become compliant, according to some payments executives.
Independent sales organizations that charge both types of fees have more compliant merchants in their portfolios than those that do not, said Wenlock Free, the vice president of business development at SecurityMetrics Inc., a Salt Lake City provider of PCI security products and services.
The noncompliance fee is "the motivator," he said. Some ISOs resell security services from third-party vendors to help their merchant clients comply with the PCI security standards. ISOs typically charge merchants for such services, but the fees vary by company.
Charging merchants fees "make a tremendous difference" in boosting compliance levels, agreed Doug Klotnia, the general manager of the compliance division at Trustwave, a Chicago payment-security company. Encouraging merchants to adopt more secure technology and operations and offering them optional third-party security services was not effective at boosting compliance rates for many service providers, he said. Once ISOs levied fees and made security programs mandatory, "the merchants behaved differently," Klotnia said.
