A number of Payment Card Industry data security standard compliance programs are beginning to prove their value, a consultant said.
The compliance programs, offered by independent sales organizations and acquirers, emerged within the past few years as acquirers received pressure from the card brands to increase compliance among smaller merchants.
Acquirers typically assess merchants a monthly or annual fee for the programs and merchants receive a variety of services, including scans to identify potential security holes and assistance in completing self-assessment questionnaires required by the card brands.
Compliance program fees vary, and some ISOs and acquirers are not charging merchants for these services.
"About a year and a half ago, people were ignoring" compliance programs, "but they charged for them anyway," said Deana Rich, president of Rich Consulting in Van Nuys, Calif.
That has changed. Many payments companies have set up in-house procedures to ensure merchants receive the service they pay for, said Rich, who advises payment companies about risk and security. The payments security companies contracted to provide the compliance evaluation service are reaching out to merchants through a variety of ways, such as calling them.
Merchants "are paying a fee, but they are getting a service," she said.
Rich said ISOs have become aware of the necessity of ensuring their merchants comply with the PCI data security measures, especially if merchants question what the fees are for.
"ISOs really understand there are repercussions if they don't provide something [worthwhile] to their merchants," Rich said.
