IMGCAP(1)]
This article appears in the Nov. 19, 2009, edition of ISO&Agent Weekly.
With a critical Visa Inc. security deadline roughly seven months away, ISOs are reassessing their efforts to gain merchant compliance with the Payment Application Data Security Standard that governs payment software.
Visa has set a July 1 deadline for acquirers to ensure that all new and existing merchants use PA-DSS compliant software, which often supports online shopping carts and payment acceptance.
Some ISOs have made compliance mandatory for their clients, while others have attempted to gain compliance at the merchant's pace. Regardless of the approach, the ISOs' goal is the same: Gain compliance without losing the merchant.
A hazard is that as one ISO or acquirer mandates compliance, a competitor could tell a merchant not to worry about becoming compliant and persuade it to switch service providers.
Speaking during a panel presentation at last week's Electronic Transactions Association Compliance Day in Chicago, Mike Cottrell, vice president of business development at TriSource Solutions LLC, a Bettendorf, Iowa-based ISO, said his company's approach was born out of a series of four merchant breaches a few years ago. The card brands collectively assessed these merchants more than $500,000 in fines, he said.
"We didn't collect all of that from the merchants," Cottrell said. Some of the merchants failed, leaving TriSource to pay.
Beginning in May 2008, TriSource started a mandatory compliance program to avoid paying failed merchants' fines.
The ISO automatically enrolls merchants in its compliance program unless they provide evidence they use another qualified vendor, Cottrell said.
In the 18 months since its start, the program has garnered a 27% compliance rate.
"We have a good start," Cottrell said, noting the ISO could tie only 1% of merchant attrition to compliance issues.
Merchant Warehouse Inc., a Boston-based ISO, has used in its compliance effort messages in merchant statements and nuisance fees it will waive if the merchant completes the self-assessment questionnaire that helps determine vulnerability.
"We'd like our merchants to be compliant, but at the same time, how do you do that without driving them away?" asked Henry Helgeson, Merchant Warehouse
co-CEO, at the ETA event.
Merchant attrition increased slightly when Merchant Warehouse started its compliance program, but it has not reached more than 1.5%. "It's not major," Helgeson said.
Even with incentives and explaining to merchants why they should comply, adoption of sound compliance and security protocols still hinges on the merchant.
Sixty percent of Merchant Warehouse's 80,000 merchants failed to log on to the ISO's compliance site knowing they could be penalized for not doing so, Helgeson said. Of the 40% that did log on, 82% were compliant within 60 days, he said.
Still, Merchant Warehouse has not adopted a harsher approach. "Our approach has been to be a little softer than we'd like it to be," Helgeson said.
Advant-Garde Marketing Solutions Inc., a Dallas-based ISO, is emphasizing merchant education over profits and revenue, said panelist Michael Varian, Advant-Garde chief information officer. "We want to drive compliance rates rather than just generate profit and revenue," he said.
Part of the method means the ISO teaches sales agents the fundamentals of compliance so they can "speak intelligently and confidently about PCI," Varian said. "We want them to have a lot of knowledge and be able to refute misconceptions about PCI," he said.
All three ISO executives agreed that sales agents need a financial reward tied to compliance programs to get them to talk to merchants about them.
TriSource sales agents receive a portion of the $13.99 monthly compliance fee, said Cottrell.
"If you don't share the PCI-related revenue with agents, you're going to lose them," Helgeson said.
