Compliance among small merchants with the Payment Card Industry Data Security Standard remains relatively low, but ISOs may be able to increase compliance rates in their portfolios by launching multifaceted campaigns, some industry insiders suggest.
Some acquirers are requiring their merchants regardless of size to become compliant with the standard, and merchants may face fines and fees if they do not comply. As part of that effort ISOs often must work closely with merchants to educate them about security standards.
“The reality is PCI compliance … is fairly technical,” says Steven Cartwright, chief financial officer at American Payment Systems, an Omaha, Neb.-based ISO. Many merchants do not understand what happens to payment data after they complete a transaction, he notes.
“We process their cards, and they rely on us” for information about payments, says Cartwright, who recently increased PCI compliance among the ISO’s merchants to roughly 50% from 10% with a targeted phone call campaign.
Overall PCI compliance rates among small merchants remain low, says Cliff Gray, an associate and merchant-processing and product-services expert with The Strawhecker Group, an Omaha, Neb.-based consulting firm. The compliance rate among Level 4 merchants “has not budged for a couple of years. Optimistically, it’s maybe 10%,” he says. Visa Inc. defines Level 4 merchants as those that process less than 1 million Visa transactions annually.
Visa estimated PCI compliance among Level 4 merchants as “moderate” as of June 30. Visa did not provide more current Level 4 compliance rates by deadline.
Passive Versus Aggressive
Passive outreach campaigns are not very effective at boosting compliance rates, says Gray. Instead, “ISOs need to change and be more pressing,” he says. “If you really are going to be successful [at increasing PCI compliance], you have to be aggressive in reaching out to merchants.”
“A multipoint attack seems to do the trick” for increasing small-merchant compliance with security standards, says David Abouchar, senior director of product management at ControlScan Inc., an Atlanta-based company that sells PCI compliance and security products for small and midsize merchants. A multipoint attack may include e-mail messages, mailers and phone calls to merchants about data-security regulations.
ISOs should communicate with merchants on a regular basis about data security and compliance, adds Heather Foster, ControlScan vice president of marketing. “You have to hit them over the head with it because taking action is the biggest hurdle in PCI compliance,” she says.
While a more aggressive campaign may help an ISO increase compliance among its clients, “I don’t think anyone in the industry believes 100% [compliance] is achievable in Level 4. No one is achieving that,” says Abouchar. “Certainly, we think it is feasible to achieve well over 50%.”
Though aggressive campaigns tend to yield better results than do more passive ones, the ISOs “that are being aggressive are exceptions to the rule by far,” says Gray, noting many companies believe they do not have the time or resources to launch multipoint campaigns.
Telephone Contact
American Payment Systems increased compliance with PCI Data Security Standard among its roughly 1,200 merchant clients to 48% in January from roughly 10% Oct. 1 with a phone-call campaign, according to the ISO.
The ISO began the calling campaign Oct. 1 after trying a direct-mail campaign for three months that yielded less-successful results.
“When you send [merchants] a letter, it’s a passive contact that they can set aside,” but a phone call is less easy for them to ignore, says Cartwright.
The ISO offers its merchants PCI-compliance services from ControlScan. American Payment Systems handled the direct-mail initiative internally but used ControlScan to facilitate the phone-call campaign because the ISO could not manage it in-house.
“We have got 1,100 to 1,200 merchants and 10 employees to manage those merchants,” Cartwright says.
A phone-call campaign likely is more effective at increasing compliance rates among small merchants because “you have instant two-way communication,” says Gray. Many small merchants believe the PCI requirements are highly technical, and they “are so scared and see an e-mail and think it is too complex. But they get a phone call and an explanation and they think they can manage it,” he says.
Gray recently consulted with another ISO that includes a PCI discussion with every telephone contact the company has with its merchants, and the ISO also has experienced a rise in compliance rates.
