Merchants Face a Double Whammy

  As more states face growing public pressure to protect consumers from debit and credit card fraud, even merchants' garbage has become fair game. As this month's Cover Story notes, Texas' attorney general, Greg Abbott, has been especially vigilant in going after merchants who toss unshredded documents containing sensitive consumer data in dumpsters behind their stores.
  Minnesota and other states also are passing or are considering laws that hold merchants financially liable for breaches of their customer data. Combine those efforts to protect citizens with that of the major card brands to enforce the Payment Card Industry Data Security Standard, and costs could add up quickly for retailers that run afoul of state laws and industry rules designed to safeguard consumer information.
  This is especially true for merchants that accept Visa-branded cards. Starting this month, acquirers for merchants that handle more than 1 million Visa transactions annually that are not PCI-compliant will see their interchange rates raised a tier. Acquirers pass their interchange costs on to their merchant clients as part of the discount rate.
  Visa also plans to separately fine on a monthly basis acquirers of noncompliant Level 1 merchants, which handle at least 6 million Visa transactions yearly, starting this month until the merchants become PCI-compliant. In January, Visa plans to start fining acquirers of noncompliant Level 2 merchants, which handle from 1 million to 6 million Visa transactions annually. Expect the acquirers to pass their fine costs along to merchants as well.
  Acquirers can have the preferred rates restored if the merchants become compliant by Sept. 1, 2008. Visa also will provide acquirers a refund equivalent to a three-month period of higher interchange when merchants comply by that date.
  Despite these mounting pressures on merchants, there are suspicions among some independent sales organizations that their interests in helping merchants comply are being used against them by competitors who downplay PCI compliance to grow their merchant bases. It's doubtful any ISO would admit to this practice, and let's hope those suspicions are not true. Otherwise, the ISO industry once again will need to weed out its bad apples as it did for the most part a decade ago.
  (c) 2007 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com