IMGCAP(1)]
This article appears in the July 30, 2009, edition of ISO&Agent Weekly.
The response among small merchants to the industry's data-security campaign is limited. And that likely is because many are unaware of potential threats, according to James Taylor, vice president of alliances at Trustwave, a Chicago-based data-security company.
Smaller merchants "do not understand what cardholder data" they store and process, and "they don't know the risk of compromise," Taylor said last week at the Midwest Acquirers Association conference in Lombard, Ill.
ISOs and acquirers can help boost merchant understanding of security dangers and regulations by implementing programs that address the issues, noted Taylor.
Merchants that do not understand data-security risks often are unwilling to upgrade to compliant products and services, according to observers. ISOs and service providers that mandate merchant clients become compliant with security regulations may see increased attrition from merchants unwilling to update their methods, terminals and software.
More than 90% of data compromises occur at Level 4 merchants, Taylor said. Level 4 merchants process fewer than 1 million Visa Inc. transactions annually.
After a data breach, a Level 4 merchant "very often" will not survive because of the costs, such as legal fees and fines, associated with a breach, said Taylor.
Not only are Level 4 merchants among the most breached entities, their compliance with the Payment Card Industry Data Security Standard is "low," according to Jackie Jason, senior account executive at Visa Inc. A Visa representative did not provide detailed data regarding Level 4 merchant compliance by ISO&Agent Weekly's deadline.
Ninety-three percent of Level 1 merchants, which process more than 6 million Visa transactions annually, were compliant with the standard as of March 31, according to Visa. Of Level 2 merchants, which process between 1 million and 6 million Visa transactions annually, 88% are compliant. More than half, 57%, of Level 3 merchants were compliant. A Level 3 merchant is an e-commerce business that processes between 20,000 and 1 million Visa transactions annually.
All compromised entities have not been compliant with the PCI standard at the time of the attack, said Jason. In some cases, the entity was compliant with the standard at one point but had fallen out of compliance when the attack occurred, she says.
PCI "is not a diet," Jason says, describing how some consumers use diet methods to shed excess pounds quickly but typically gain them back. Instead, PCI is "a lifestyle change" that merchants must consider at all times.
'Clear And Concise'
To increase smaller merchants' awareness of security risks and increase their compliance with the PCI Data Security Standard, ISOs and acquirers should institute programs that directly address data-security issues, Taylor said. ISOs and acquirers should begin by choosing an objective, such as identifying at-risk merchants or improving overall data security, he said. They then can establish a marketing strategy to reach merchants.
It is important to realize, however, that data security is not merchants' "bread and butter," said Taylor. "Do not overwhelm them with information" pertaining to security or regulations, he said. ISOs and acquirers should keep their merchant communication about data security "clear and concise," said Taylor.
ISOs and acquirers also should avoid fees pertaining to PCI compliance that do not benefit merchants, Taylor said. Any fee related to data security "must provide value" to merchants, he said.
PCI compliance should be a partnership between ISOs and merchants, said Taylor. ISOs and acquirers should consider incentives, such as breach insurance, to drive participation in their data-security programs.
