Only acquiring banks and the largest ISOs have to file formal written plans with the card brands to explain how they intend to bring the nation’s 5 million small retailers, restaurateurs and other mom-and-pop businesses into compliance with Payment Card Industry data security standards. But everybody in the credit and debit card “food chain” feels the sometimes-unpleasant effects of those plans.
In fact, the plans the industry’s big players file are designed to cover the smaller ISOs, Visa Inc. officials say. Naturally, all of the plans’ provisions flow downhill to the merchants that accept cards for payment.
Visa, for example, in 2007 started requiring its acquirers to formulate plans for addressing small-merchant compliance, a stipulation intertwined with a bigger push in the past 18 months to bring Level 4 merchants–the largest merchant group but with the fewest card transactions–into PCI compliance, observers say.
Some 96% of the largest, Level 1 retailers have achieved PCI compliance, according to Visa, which hesitates to provide such a precise percentage for Level 4 merchants. The best description Jennifer Fischer, Visa senior business leader for U.S. payment risk, offers for the success rate among small merchants is the vague characterization of “moderate.”
But companies required to submit the plans complain that the assignment remains vague, and Hauppauge, N.Y.-based TransFirst Inc. is no exception. Steve Cadden, TransFirst chief operating officer, describes the company as “a super ISO on the way to becoming a processor” and says the brands require it to submit compliance plans.
The card brands convey their expectations for the plans in “broad brush strokes” and fail to “go the record” about what to cover, Cadden says. “It’s a little frustrating,” he says. “You have to come up with it on your own.”
“One size doesn’t fit all,” counters Visa’s Fischer. “Some have thousands of Level 4 merchants. We weren’t overly prescriptive; we provide guidance on how to prioritize and ask how they are progressing.”
The task of complying can vary greatly among small merchants because some use simple stand-alone terminals that receive verification over phone lines, while others use integrated payment applications that operate on the Internet, Fischer says.
For small ISOs, helping merchants comply can take on the characteristics of a do-it-yourself project.
Some of staffers at Arlington Heights Merchant Banc spend half their working hours on PCI-related issues, including fielding complaints from merchants that have problems when the try to comply, estimates Gary Peterson, president of Mount Prospect, Ill.-based Arlington Heights Merchant Banc. “You have people calling in and yelling at you,” Peterson says.
He spends much of his own time contacting merchants to alert them to the importance of trying to prevent data breaches by complying with PCI. Other times, he personally guides his customers through the PCI self-assessment questionnaire they have to complete as one of the compliance requirements.
Just the same, the ISO loses about 20% of the merchants that encounter PCI-compliance problems, Peterson says. Some of those customers shift their transactions to ISOs who promise impossibly easy PCI compliance, either from ignorance or as outright lies, he contends.
“I’ve lost multiple merchants because of this,” Peterson says. “I take that very personally.”
Besides, the time spent dealing with PCI is time Peterson says he cannot use to seek the contracts with new merchants that he needs to grow his business.
Processors live in ivory towers and remain clueless about the day-to-day struggles of retailers, thus failing to realize they should do more to help ISOs deal with compliance, Peterson says.
Visa’s Fischer counters that view, however, saying the card company spreads information on PCI compliance by publishing best practices to aid ISOs in their task of reaching out to merchants.
What do you think about this? Send us your feedback.
