IMGCAP(1)]
Despite help from trade groups, ISOs find that ensuring merchants meet payment card industry security standards remains time-consuming and costly, observers say. Panelists discussed how ISOs deal with the challenge at the Western States Acquirers Association Conference last week in Scottsdale, Ariz.
Everyone in the payments industry—including ISOs and agents—should work to prevent theft and unauthorized use of sensitive consumer payment information, according to the Wakefield, Mass.-based Payment Card Industry Security Standards Council, which administers the Payment Card Industry Data Security Standard (ISO&Agent Weekly, 5/15). ISOs are on the front lines to teach merchants about PCI compliance, and agents often try to persuade merchants to spend time and money to comply with the standards.
The council this year launched three initiatives to help merchants comply with the standard (ISO&Agent Weekly, 5/15). It released updated self-assessment questionnaires, compiled a list of compliant PIN-entry devices and adopted the Payment Application Data Security Standard, which is intended to help software developers secure payment applications.
Compliance Challenge
"Compliance has caused slower growth" for ISOs, says Steve Christianson, president and CEO of AAmonte Bankcard, a Palm Desert, Calif.-based ISO. ISOs cannot focus on growing sales when they are focusing on PCI compliance, he says.
PCI compliance has had a "significant impact" on ISOs, says Jim Fink, chief marketing officer at EVO Merchant Services, a Long Island, N.Y.-based merchant-services provider. Gaining merchant compliance involves a sizable time commitment from ISOs, he says.
"We have to go out and have a touch point with all of our merchants to get them complaint," Fink says.
ISOs also lose revenue because of compliance-related merchant attrition, Fink says. Some merchants with noncompliant software may choose to leave an ISO instead of paying to upgrade at the ISO's request, he says.
Cost to ISOs "comes from merchants with noncompliant software that they need to upgrade. But merchants are reluctant because of the costs," Fink says.
Regulations Necessary
Though ensuring merchant compliance with the PCI standard can present challenges for ISOs, those that can teach merchants about compliance provide a valuable added service, says Brian Anderson, director of the Western States Acquirers Association and president of POS Card Systems, a Redwood City, Calif.-based merchant-services provider.
"Go out to merchants and educate them and educate yourself," says Anderson. "You will maintain those accounts. Those without knowledge will burn their bridges."
Despite the difficulties, ensuring merchant compliance with PCI regulations is necessary "because of the creeps out there" attempting fraud, agrees Christianson.
A PCI council spokesperson did not respond by ISO&Agent Weekly's deadline to requests for comment regarding ISOs' concerns about helping merchants comply with PCI.
The council released version 1.2 of the Payment Card Industry Data Security Standard Wednesday. The latest version is an update of version 1.1, which the council released in 2006.
"The majority of what's changing in here is clarifications and further defining what we actually mean when we say you need to do something on a relatively frequent basis," says Bob Russo, the council's general manager (ISO&Agent Weekly, 9/11). The council plans to update the standard every two years.
