IMGCAP(1)]
This article appears in the April 30, 2009, edition of ISO&Agent Weekly.
Getting merchants to protect their payment systems not only can defend transactions from would-be thieves, but it also can reduce headaches and financial losses for ISOs and sales agents.
At Electronic Commerce International Inc., a Las Vegas-based ISO, CEO Jim Anderson believes there is a story to tell about security and payments. His ISO is putting together a "storybook" guide that defines the Payment Card Industry Data Security Standard, explains why it is important and acknowledges its role in securing a payment network.
The ISO will use the guide to train agents on how to educate merchants, Anderson tells ISO&Agent Weekly.
"As long as we can educate the merchant, it makes sense," Anderson says. Ideally, Anderson would like all of Electronic Commerce's merchant clients' employees to have some payment-security training.
Electronic Commerce's security vendor, ControlScan Inc., an Atlanta-based company, has developed training videos for merchant employees, Anderson says. Merchants then require the employees to sign a statement confirming they watched the videos.
Such documentation is a good safeguard, it but will not absolve a merchant of liability in a breach, Anderson notes.
Education At Work
Indeed, the merchant is ultimately responsible for ensuring the integrity of its payment system, but "it is our responsibility to educate merchants," at First American Payment Systems LP, a Fort Worth, Texas-based ISO, says Kevin Jones, vice president of sales and marketing, says
As word spreads of breaches, such as those reported by RBS WorldPay and Heartland Payments Systems Inc, some merchants pick up on that, Jones says.
First American counsels it merchants that it is unwise to proclaim a payment system immune to breaches, Jones says.
"What we have to do is our very best to reduce the odds of a breach," Jones tells ISO&Agent Weekly. Part of that process is to be upfront with merchants about security issues and what they can do to help, Jones says.
Striking a balance between informing the merchant about payment security and compliance requirements and not scaring away the merchant is a constant challenge, says Todd Ablowitz, president of Double Diamond Group, a Centennial, Colo.-based consulting firm.
"Everything changed with recent, highly-publicized breaches," Ablowitz says. "It's almost as if, if you don't mention it and (just) talk about ways to secure data, you could lose the sale. If you're not talking about it, your competitor will be."
