IMGCAP(1)]
This is the second of a two-part series examining security-compliance efforts and the role of ISOs in these efforts.
Many small merchants operating on thin profit margins are hesitant to spend more funds for a security-protection process that they may not understand, especially if they see it as yet another way for their ISO to wheedle money from them.
That is why ISOs' first responsibility is to educate their merchants, not just on Payment Card Industry Data Security Standard compliance and other security concerns but also on the consequences of failing to comply.
"I think ISOs see the value of educating clients on PCI compliance," says Michael Pettiti, chief marketing officer of Trustwave, a Chicago-based data-security company. "The ISO can say to its merchant, 'Hey, these are the things you should be thinking about.'"
Besides completing a self-assessment questionnaire and establishing a security policy, achieving compliance might include an annual scan of payment receipts and transactions. "That doesn't have to be a complex process," says Pettiti.
The complexity for merchants of reaching compliance with PCI requirements varies depending on the number of electronic transactions a business processes per month. Heavier transaction volume leads to more-stringent security requirements.
Third-Party Vendors
Pettiti advocates that ISOs and their merchants turn to vendors for help in the process, a move that potentially could bring more business to vendors such as Trustwave and Salt Lake City-based Panoptic Security Inc. Panoptic has a revenue-sharing program for ISOs when their merchants buy Panoptic's PCI-compliance services.
"I don't know how an ISO would accomplish PCI compliance with merchants without involving an external provider," says Pettiti. ISOs "are not certified to perform PCI work. They're much better off turning to someone who has expertise."
Some ISOs view the issue of going to a third-party vendor for security assistance as one that hinges on the size of the merchant. It is almost automatic for a large merchant and its ISO/processor to select an outside vendor because the PCI requirements of Level 1 and Level 2 merchants are more time consuming and complex than they are for smaller businesses. Level 1 and 2 merchants process substantially more transactions—at least 6 million per year—than their Level 4 counterparts.
"Most ISOs sell to people doing $5,000 to $10,000 a month," says Steve Norell of U.S. Merchant Services, a Port St. Lucie, Fla.-based ISO. "But selling to bigger merchants, you partner with third-party vendors."
The Merchant Decides
Yet Norell says it ultimately is up to the merchant to decide how much it wants to spend and how much effort should go into the PCI-compliance process. "All I can do is inform the merchant," he says. "What the merchant does with that material, whether he wants to believe it or not, that's his business."
The merchant needs to learn from the ISO the technical requirements of the compliance process as well as what its liability is for noncompliance, says Ayman Rida, president of Farmington Hills, Mich.-based ISO Netco Merchant Processing. "We have to explain to them the security reasons behind PCI and that they can be driven out of business by the fines," he says.
Pettiti says ISOs and acquiring banks can look at the security needs of a merchant from two perspectives. One is to reach PCI compliance. The other is to look at additional security technologies that are not necessarily part of the PCI process but nonetheless can further indemnify a merchant from having its payment system breached.
Third-party vendors offer such technologies. An ISO would find it difficult to provide such security programs on its own, since they usually go beyond the range of expertise of even the most sophisticated ISOs.
Additional security technology and protection systems also can help merchants remain compliant with PCI requirements, diminishing the potential for them to move to another ISO or processor. "That adds some stickiness to the merchant/ISO relationship," suggests Pettiti. "And it mitigates the situation where that merchant will move, so it cuts back the attrition rate in the ISO's portfolio."
While many ISOs charge merchants a fee for helping them gain PCI compliance, not all do. Rida is more interested in building trust and long-term relationships with Netco's merchant clients than he is in making a buck off of security assistance.
"We educate our salespeople to use PCI compliance as a sales tool," he says. "I don't charge the merchant anything. We help them get educated on the security issues."
It is up to each ISO to evaluate how security can best be used to enhance the value of its business, whether through building long-term relationships or
creating a new revenue stream. Either way, the trend toward tighter security of card-payment systems can be parlayed by an ISO into a means to strengthen its enterprise.
