IMGCAP(1)]
Efforts by card companies and trade associations to compel merchants to make their electronic payment systems more secure can translate into a real financial boon for ISOs.
The hyped-up pressure placed on merchants by the card brands to comply with the Payment Card Industry Data Security Standard can open a door for ISOs to increase revenues by helping their merchant clients refit their card-payment systems to meet industry guidelines. It also affords ISOs the opportunity to cement their relationships with existing merchant clients and diminish the likelihood they will switch processors.
The Wakefield, Mass.-based Payment Card Industry Security Standards Council issued an updated version of the PCI standard, known as version 1.2, on Oct. 1. While the most recent version of the standard entails no major new requirements, it does offer clarifications and explanations for merchant security requirements, including guidelines for third-party vendors, labeled qualified security assessors.
Smaller firms, known as Level 4 merchants, may need the most assistance from ISOs in keeping their equipment and payment processes compliant. Level 4 merchants process 20,000 or fewer annual card transactions.
Many ISOs view the need to assist merchants in becoming PCI compliant and protecting against fraudsters "as more of a business opportunity than they used to," says Mike Pettiti chief marketing officer of Trustwave, a Chicago-based data-security company. "Of everyone from the merchant through the whole payment system all the way up to the card brands, the ISO is the one that has learned the most in the last year or so how this can be a business opportunity. And it's not only a business opportunity, but a competitive edge as well," he says.
Working With Vendors
One of the key questions facing an ISO when it offers to help a merchant become PCI compliant is whether to do the work itself or to employ a third-party vendor. The answer often boils down to cost and whether the ISO can afford to pay a vendor for security management on behalf of a merchant.
Heartland Payment Systems Inc., a Princeton, N.J.-based ISO and processor, uses Trustwave to conduct security monitoring and audits for its merchant clients. Trustwave bills Heartland for the services, and the ISO passes on the cost to its merchants. But unlike some ISOs, Heartland does not use the service to generate extra revenue. "It's a cost that we pass on without markup," says Robert Carr, Heartland's CEO. "We're not in the nickel-and-dime business."
For some smaller ISOs, the third-party route does not make financial sense.
"I did consider it, but the cost per merchant was too high for me," says Ayman Rida, president of Farmington Hills, Mich.-based ISO Netco Merchant Processing. "Most of my merchants are pretty small."
Yet at least one third-party vendor, Salt Lake City-based Panoptic Security Inc., is willing to set up a payment scenario with ISOs where the ISO and the vendor split the revenue they receive from a merchant purchasing Panoptic's PCI-compliance services.
"Panoptic has a philosophy of revenue sharing," says Tim Cranny, Panoptic's president. ISOs can set the fee they charge merchants for security-compliance services and then share a portion of that fee with Panoptic, he says.
"We split the money with them," says Cranny, adding that his company and the ISO work out the fee-sharing arrangement in advance. The fee to the merchant can be as low as $8 a month for the service of helping the merchant fill out a self-assessment questionnaire, the basic requirement of Level 4 merchants under PCI DSS, says Cranny. (The questionnaire is a tool offered to help merchants and service providers assess compliance with the PCI DDS.)
The ISO deals directly with the merchant under this arrangement, while Panoptic provides the service and remains in the background. It can entail as little as an hour of work, but for the ISO "there are monthly residuals forever more," says Cranny.
Filling out a questionnaire, however, is not all that merchants must do to remain compliant. A merchant must have a security policy, something many small businesses have never contemplated, and once security issues arise, the problems or infractions must be remedied. Again, these steps do not come easily to small merchants, so ISOs can play a role in this arena as well.
The absence of compliance can result in a fine that can reach tens of thousands of dollars. The processing bank, which is held liable by the card brands, can hold the ISO liable. The ISO can seek to gain the penalty fee back from the merchant, but smaller merchants may be unable to repay the funds.
"The ISO will be responsible [for security breaches] at the PIN pad or terminal," says Netco's Rida, "and then I shift the liability to the merchant. But the question is, 'Can the merchant handle the fine?' It's important for both the merchant and me to be compliant with PCI and all the security rules. And if I help the merchant become compliant, it creates trust."
Panoptic's Cranny says that some ISOs care about PCI compliance and see the added revenue they can reap from building security systems for merchants as a bonus. Other ISOs, he adds, see the additional revenue as the priority and the beefed-up security as the bonus. "The majority of ISOs are acutely aware of the risk and exposure they have and are actively looking for a solution. And some are more aware of the opportunity it presents than of the pain that could result if they are not compliant," says Cranny.
Another opportunity that security issues create for ISOs is earning revenues by selling insurance. ISOs can offer security theft insurance to customers and mark up the cost to generate revenue, just as some ISOs do for merchant security-consulting services.
Some ISOs worry that other ISOs might take advantage of merchant ignorance or uncertainty over PCI standards to bilk their clients.
"In my opinion, the whole PCI compliance thing is all very nice, but it's a bunch of mumbo-jumbo," says Steve Norell of Port St. Lucie, Fla.-based ISO US Merchant Services. "Some merchants have heard of it, but they don't know what it means. A lot of ISOs will see it as a way to make bucks through scare tactics."
Even if an ISO informs a merchant that there is a $25,000 fine for failing to protect its payment system adequately from a security breach, the merchant "thinks it's just a ploy to get you to spend more money," Norell suggests. "All I can do is inform the merchant. What a merchant does with that material, whether he wants to believe it or not, that's his business."
The second part of this article next week will examine the value of merchant education and security compliance.
