IMGCAP(1)]
With a critical Visa Inc. security deadline about seven months away, independent sales organizations are reassessing their efforts to gain merchant compliance with the Payment Application Data Security Standard. Visa has set a July 1 deadline for acquirers to ensure that all new and existing merchants use PA-DSS-compliant software, which often includes Web site shopping-cart and online-payment applications. Some ISOs have made compliance mandatory, while others have let merchants set the pace for compliance. Regardless of the approach, the goal is to secure compliance without losing the merchant. The hazard is that as once an ISO or acquirer mandates compliance, a competitor could tell its merchants not to worry and persuade them to switch service providers. Speaking at last week's Electronic Transactions Association Compliance Day conference in Chicago, Mike Cottrell, vice president of business development at TriSource Solutions LLC, a Bettendorf, Iowa-based ISO, said his company's approach, which is to mandate compliance, resulted from a series of four merchant breaches a few years ago. The card brands collectively assessed the merchants more than $500,000 in fines, he said. "We didn't collect all of that from the merchants," Cottrell said. Some of the merchants failed, leaving TriSource to pay. In its compliance effort, Merchant Warehouse Inc., a Boston-based ISO, has used messages in merchant statements and nuisance fees it will waive if the merchant completes the self-assessment questionnaire used to determine vulnerability. "We'd like our merchants to be compliant, but at the same time, how do you do that without driving them away?" asked Henry Helgeson, Merchant Warehouse co-CEO.
