IMGCAP(1)]
Maintaining data security and generating additional revenue are among the most widely discussed industry topics of the past year. Increasingly, the two discussions are becoming intertwined as more ISOs are charging their merchant clients fees related to Payment Card Industry data-security standards compliance.
ISOs, however, have differing views on the trend.
Providing value to merchants should be the primary goal for ISOs that offer data-security services to their clients, not generating additional revenue, some observers contend. Others believe charging merchants security-related fees can help increase revenue and data-security standards compliance within ISOs' portfolios.
Though most ISOs do not yet provide security services, some resell them from third-party vendors to help their merchant clients comply with the PCI security standards. Those ISOs typically charge merchants for such services, but the fees vary by company.
"Our philosophy is not to lead with a revenue-generating approach," says Joan Herbig, CEO of ControlScan Inc., an Atlanta-based provider of PCI compliance and security products for small and midsize merchants. "We lead with the idea that a security program helps the merchant and makes them more secure."
Some ISOs, however, instruct merchants to become PCI compliant but do not provide security services and charge them fees for failing to comply, says Valissa Kelly, vice president of sales and operations at Avid Payments, a Birmingham, Mich.-based ISO. "We are seeing it out there in the industry," says Kelly.
A broad range of ISO strategies exists to increase PCI compliance among merchants, says David Taylor, founder of PCI Knowledge Base LLC, a Highland Village, Texas-based research firm focused on payment-data security. "Some people say, 'Fine the crap out of them because they won't pay attention to us if we don't.' Then there is the kinder, gentler approach of educating them," he says.
ISOs' motivation involves both revenue and providing value for merchants, says Wenlock Free, vice president of business development at SecurityMetrics Inc., a Salt Lake City-based provider of PCI security products and services. "More than not, ISOs are interested in doing what is right, and if there is revenue to be had, that's great, too," Free says. "Unfortunately, PCI has been painted with the greed brush."
When comparing an emphasis on revenue versus service, "the scale doesn't lean in one direction or the other," says Sean Fury, SecurityMetrics director of business development. "Just as many ISOs see this as an opportunity to increase the revenue stream as they do as an opportunity to increase safety of merchants."
SECURITY-RELATED FEES
Organizations can choose to charge two separate fees for security-related services, says Free. "The first is a compliance fee [to cover the cost of] vendor services. The second is a noncompliance fee that is an encouragement or enticement to become compliant," he says.
The compliance fee typically is a monthly or annual payment. ISOs generally stop charging merchants noncompliance fees once they become compliant. The prices ISOs set for each fee and the amount of revenue they earn from them varies by company, Free says.
Charging penalty fees motivates reluctant merchants to become compliant with security standards, some industry players contend.
Though a minority of merchant-service providers charge clients data security-related fees, more providers likely will begin doing so, industry professionals generally agree.
Approximately "10% to 20% of service providers" charge fees related to data-security services, says Taylor. "It's not the majority" of service providers charging fees for such services, but "it's certainly going to double or triple from where it is now," he predicts.
ISOs that charge both fee types have more compliant merchants in their portfolios than those who do not, notes Free. The noncompliance fee is "the motivator," he says.
Indeed, interest in reselling PCI standard-compliance services is "growing" among ISOs, says Herbig. "We have seen dramatically more interest from ISOs and banks that's driven by the mandates coming down from the card companies that require merchants to become PCI compliant," she says.
MOTIVATED MERCHANTS
Charging merchants fees "makes a tremendous difference" in boosting compliance levels, agrees Doug Klotnia, general manager of the compliance division at Trustwave, a Chicago-based payment-security company. Encouraging merchants to adopt more-secure technology and operations and offering them optional third-party security services was not effective at boosting compliance rates for many service providers, he says.
Once ISOs levied fees and made security programs mandatory, "the merchants behaved differently," Klotnia says.
There is "quite a range" in the amounts that ISOs charge merchants for data security-related services, says Fury. The average fee is roughly $75 to $100 annually, he estimates.
Providing motivation for merchants to become PCI compliant is important because few small merchants are compliant with PCI data-security standards, and many are unaware of the standards, industry professionals generally agree.
Visa Inc. estimated PCI compliance among Level 4 merchants was "moderate" as of June 30. Visa defines Level 4 merchants as those that process fewer than 1 million Visa transactions annually. Visa could not provide more detailed or more recent information regarding Level 4 compliance.
Not all merchants are "aware of PCI compliance," says Jim Anderson, CEO of Electronic Commerce International Inc., a Las Vegas-based ISO. "We have had to instruct some clients to Google it."
Part of the problem is small merchants' overall lack of awareness, says Klotnia. "Most don't know what data they store or don't store. There's a lack of understanding of the payment process and a lack of understanding that small merchants are being breached," he says.
This past summer, only 62% of small merchants were validated as PCI-compliant, and 86% were "very" to "somewhat" familiar with the PCI Data Security Standard, according to a small-merchant study released in August by ControlScan, PCI Knowledge Base and the National Retail Federation.
The organizations conducted the online merchant survey in July. Roughly one-half of the 220 merchant respondents process fewer than 100,000 card transactions annually.
Of the 29% not yet compliant, 44% were working to become compliant, 26% did not have the financial or technical resources to be compliant, and 19% did not understand the standard, according to the report "What Small Merchants Know (And Don't Know) About PCI Compliance." Nine percent of respondents were unsure if they have been validated as PCI compliant.
Merchants additionally are not technically savvy, which can hinder their abilities to become PCI compliant, note observers.
The self-assessment questionnaire that should assist merchants in evaluating their compliance with PCI standards can be "daunting," says George Peabody, a principal analyst at Maynard, Mass-based Mercator Advisory Group. "They will start it and get overwhelmed with it because "many of them don't have internal [information-technology] staff," he says.
EMPHASIS ON VALUE
Not all companies are comfortable charging merchants security fees without providing them compliance support, and some industry insiders view noncompliance fees primarily as revenue drivers.
With a noncompliance fee, service providers "are just adding this fee in there and not helping clients" become compliant with security standards, says Anderson. "We don't feel comfortable doing that," he says, noting he knows of several companies charging such fees.
Electronic Commerce International began a mandatory security program in April for its merchant clients, Anderson says. Merchants pay $9.95 per month and receive security-related support and services from ControlScan, which is Electronic Commerce International's third-party vendor for data-security services. The ISO generates some revenue from the security program, says Anderson.
Some merchants are paying monthly noncompliance fees to their service providers yet remain unfamiliar with the PCI security standards, says Kelly. "They do not know what it is, and we look at their statement and they are getting charged with it," she says. "We know some competitors are out there saying to their merchants they are required to be PCI compliant" and charging them fees without providing help, says Kelly.
Avid Payments in July started a mandatory security program that costs merchants less than $100 annually, says Kelly. SecurityMetrics works with Avid Payments to provide the ISOs' merchants with compliance support and services.
"Our goal is not to increase revenue. Although we are generating some revenue, most of [the fees] go to education and security," she says, adding the industry is hurt by ISOs that charge merchants fees but do not provide security support.
While many security programs are mandatory, some ISOs are offering optional services.
The security programs available at Century Payments Inc. are optional because the ISO did not want to charge merchants if they did not use the service, says J.T. Dominick, senior vice president of the Frisco, Texas-based ISO. Century Payments derives no income by providing the security services to merchants, which pay $9.99 or $14.99 per month depending on the security package they choose, he adds.
Instead of creating a security program that is a revenue driver, "we provide value," Dominick says, calling it a "competitive advantage in the market."
The feedback from merchants has been favorable, Dominick adds. "They like that it's optional," he says, adding he has seen few other service providers offering optional security programs. "A lot of merchants are getting hit with increasing fees from PCI compliance," and many do not understand PCI or the fees, Dominick says.
SELECTING A VENDOR
ISOs that choose to offer merchants a security program from a third-party vendor should evaluate closely which vendor best matches their needs, note industry observers.
ISOs create a "deadly combo" if they force merchants to pay for a service and then give merchants a vendor that does not provide a valuable program, says Klotnia. "You made the merchant do something, did not give them a choice and gave them a subpar vendor. It is not a good situation."
Working with a vendor, however, often is a good choice for small ISOs because they do not have the resources to staff a help desk or call center to handle merchants' security questions, says Herbig.
Avid Payments began searching for a security vendor by evaluating vendors' reputations in the industry and what they could provide merchants, says Kelly. It was important for the ISO to find a vendor that could "provide everything our merchants possibly could need" and allow her team to focus on sales and client service, she says.
For Electronic Commerce International, the deciding factor in choosing a vendor was ease of use for the customer, says Anderson. "If [the program] was hard or complicated, our compliance rate would still remain very low versus if it is easy to use. Then customers wouldn't be scared to become compliant," he says.
ISOs most often ask SecurityMetrics about price, says Fury. The second question most frequently asked often deals with the types of services the company offers."They want a checklist of services we will offer" that will help merchants become PCI compliant but will not require the ISO to become a security expert or exert additional resources, such as answer merchants' security-related questions, he says.
Choosing a vendor that will provide what an ISO needs for its merchant clients is worth the effort because ISOs that offer merchant-security services have an opportunity to add additional value to their client relationships, industry insiders say.
"From a merchant standpoint, it is a value if you understand that it is helping you protect your business," says Kelly. Merchants will suffer financial losses if a data breach occurs, and they typically value ISOs that help them avoid such costs, she says.
The debate among ISOs over the types of merchant- security fees-compliance, noncompliance or no fees-is likely to continue as service providers seek a balance between requiring merchants to pay security-related fees and providing valuable PCI education and support to their clients.
