A recent study that focuses on Payment Card Industry Data Security Standard compliance among large merchants also is helpful for educating independent sales organizations and the smaller merchants with which they typically work, observers note. ISOs should educate themselves not only about their specific markets but also about all aspects of data security and compliance in the payments industry to better serve their clients and ensure all merchants protect card data, they say.
The study found only 2% of large, Tier 1 businesses fail compliance audits and 98% pass. However, 41% rely on compensating controls to meet PCI requirements, according to “PCI DSS Trends 2010–QSA Insights.” A compensating control is an alternative measure a merchant may take to achieve compliance with the standard if it is unable to comply with the requirements as written. Qualified security assessors must approve the control.
The Ponemon Institute, a Traverse City, Mich.-based research group, surveyed 155 qualified security assessors for the report. A Tier 1 merchant processes more than 6 million Visa transactions annually, and Visa requires qualified security assessors to complete annual reports on compliance for such retailers.
While ISOs typically work with smaller merchants, the results of the report can “serve as a body of knowledge they can use to better protect cardholder data” for their organizations and clients, says Kevin Bocek, director of product marketing at France-based Thales. “Merchants of all sizes need to focus on restricting access to cardholder data, whether stored electronically or written on paper,” he says.
Indeed, knowing the state of PCI compliance among many large merchants can enable ISOs “to ask the right questions in contract negotiations and ensure they are partnering with a company that takes compliance seriously,” says Larry Ponemon, Ponemon Institute chairman and founder.
