IMGCAP(1)]
The cost of complying with the Payment Card Industry Data Security and PIN Entry Device standards and a lack of understanding regarding requirements has caused some Level 4 merchants to resist compliance, according to observers at the Electronic Transactions Association Compliance Day event in Dallas last week. Level 4 merchants process fewer than 1 million payment card transactions annually and typically work directly with ISOs. The ETA is a Washington, D.C.-based payments trade group.
Resistance from Level 4 merchants could lead to merchant attrition for ISOs that push for compliance with updated products because some merchants unwilling to update their methods, terminals and software may switch to other providers, according to observers.
A primary reason some smaller merchants resist PCI compliance is they do not understand the need for it, Deanna Rich, president of Van Nuys, Calif.-based Rich Consulting, said during a presentation at the conference. Using the TJX Cos. Inc. credit and debit card data breach as an example of the costs of noncompliance does not sway Level 4 merchants. "They think they are too small to be targeted" by fraudsters, she said.
Discount retailer TJX Cos. Inc. reported a data breach in January 2007 that compromised at least 89 million payment card accounts.
Some Level 4 merchants also are reluctant to replace noncompliant software and hardware with updated versions that meet PCI standards, Rich said. "Merchants say, 'I have something; it works. If I get something new, I have to pay for it,'" Rich said.
Deliver A Consistent Message
Difficulties arise also if financial institutions are not clear with their ISOs regarding what they need to do to get Level 4 merchants compliant, said Rich. "Some banks are not diligent about making ISOs do the right things" regarding compliance, such as using validated payment applications and service providers, she said.
This creates an inconsistent message throughout the industry and leads some merchants to switch acquirers, processors or ISOs if they want to work with providers that do not require them to make compliance-related changes, according to observers.
Value-added resellers should recommend the minimum number of changes for a merchant to become compliant, Rich said. That way, "you don't get into a question of not doing the same thing as the other acquirer," she said.
Making the minimum number of demands "levels the playing field" and reduces the number of "merchants leaving ISOs for the other guy down the street," agreed Rick Allen, director of partner compliancy with Payment Processing Inc., a Newark, Calif.-based payment processor and ISO. A consistent message and approach in the industry leads to a more-compliant environment overall, he said during the presentation.
Prepare For 2010 Deadline
Payments industry value-added resellers should begin educating merchants now in anticipation of 2010 Payments Card Industry PIN-device and payment-application deadlines, according to Jim Tingey, executive vice president of Palm Desert (Calif.) National Bank, a Palm Desert.
Visa has mandated that all attended point-of-sale PIN-acceptance devices and payment applications be PCI-compliant by July 1, 2010.
It is "critical to begin now for 2010 changes," Tingey said during a presentation. "Beginning now means merchants will be more likely to act." Tingey recommends value-added resellers give merchants goals and deadlines to meet before the 2010 date to ensure compliance.
