The merchant processor Nova Information Systems is offering its smallest merchant clients help in complying with the Payment Card Industry data security standard.
The U.S. Bancorp unit said Wednesday that it is offering clients risk assessment software from TrustWave Holdings Inc. that can evaluate their security practices.
Merchants of all sizes must conform to the PCI standard, or face fines. The standard describes which card information can be stored and how to keep it safe.
"We contractually require all our merchants to abide by the PCI data security rules," said Gerry Tilson, Nova's senior vice president for card association compliance. Any fines the Minneapolis company receives for processing transactions for noncompliant merchants are passed along to that merchant.
Mr. Tilson said Visa U.S.A. recently stepped up its efforts to promote compliance by small merchants, which it calls Level 4 merchants. According to TrustWave's research, those merchants are targeted for 80% of card data thefts.
Robert McCullen, the chairman and chief executive of TrustWave, a Chicago company doing business as AmbironTrustWave, said it is harder for Level 4 merchants to attain compliance.
Unlike large businesses, he said, small ones "don't have a security person, so they're relying on third parties"
Still, non-compliance can be more severe, since the fines for security lapses are not scaled down for small merchants. "The fines and fees associated with a hack can put them out of business," Mr. McCullen said.
The Ambiron software, Risk Profiler, asks the merchants a series of questions about how they handle data security to determine whether they are high-risk for a data breach.
Visa and MasterCard Inc. categorize merchants by the number of transactions they handle. The top category, Level 1, is for merchants with 6 million or more transactions a year. The smallest category, Level 4, is for those with fewer than 1 million transactions and fewer than 20,000 e-commerce transactions.
Other financial companies offer merchants the Ambiron software. The Dallas acquirer Chase Paymentech Solutions LLC, a joint venture of First Data Corp. and JPMorgan Chase & Co., has been offering it to Level 4 merchants since August.
Mr. Tilson noted that criminals can target any merchant, and that some of the high-profile breaches that affected big retailers in recent months could have happened just as easily at the shop next door. "All merchants are becoming more aware of data security issues," he said.
