The private sector often lives in fear of government regulation, but the payment card industry’s indigenous regulators are piling on new disclosure, monitoring and security requirements for merchant acquirers, panelists said Wednesday at the Northeast Acquirers Association (NEAA) annual conference in Boston. While many of the new rules are meant to correct clearly identified weaknesses, another goal is to avoid intervention by Congress or federal and state bureaucrats not be attuned to the payment industry’s myriad nuances.
The panel at the NEAA conference, which was attended by 650-plus acquiring and independent sales organization executives and sales people, reviewed recent rules changes by Visa Inc. and MasterCard Inc. as well as the PCI Security Standards Council, which administers the new version 3.0 of the Payment Card Industry data-security standard. Compliance with the main PCI rule set and its related standards is mandatory for card-accepting merchants.
Payment card data breaches are the talk of Washington, with President Obama recently urging Congress to pass a federal breach-notification law to supersede 46 disparate state laws. Plus, the new Republican-controlled Congress, while presumed to be business-friendly, isn’t necessarily going to let merchants or banks off the hook for lax data security, which is now a political issue that resonates with consumers. A House subcommittee will have a hearing Tuesday about finding the “sound elements of data-breach legislation,” and the Senate’s Homeland Security Committee has scheduled a hearing for Jan. 28 on the importance of information sharing to protect against cyber attacks.
That kind of attention puts pressure on the payments industry to get its security act together quickly. Joan E. Herbig, chief executive of Alpharetta, Ga.-based security-services provider ControlScan Inc., said PCI’s version 3.0 stresses the segmentation of computer networks to isolate card data, clearly delineates the duties of merchants in supervising third parties they hire for security tasks, and strengthens other aspects of a comprehensive security program.
“There’s an emphasis in 3.0 around increased documentation and training,” she said. Herbig later added: “The [PCI] Council is serving an important role in keeping the government at bay.”
There are downsides to all that, however. For example, many merchants are confused about which self-assessment questionnaire (SAQ) they should use to begin the PCI compliance process now that the number of SAQs has proliferated to nine, according to Herbig, up from six in the earlier release and just one back in PCI’s early days.
In addition, the new rules for network segmentation mean that more merchants will be required to do so-called penetration tests to assess their networks’ vulnerabilities. Such tests can cost “thousands of dollars,” Herbig said.
As ISOs and acquirers, which serve as the PCI cops on the beat, digest the new security rules, they also have to keep an eye on recent Visa and MasterCard rules changes that recognize the growing role of so-called payment facilitators that work with small merchants and aim to improve disclosures about pricing and the terms of merchant contracts. For example, MasterCard last June changed its rules to require better disclosures about how acquirers calculate equipment charges, authorization expenses and other fees, said panelist and payments attorney Holli Targan, a partner at Jaffe Raitt Heuer & Weiss P.C. in Southfield, Mich.
“The rule requires that you explain what every term that you’re using means because there’s a recognition that merchants don’t speak our language necessarily, and it all needs to be explained to them,” she said.
A second major MasterCard change says acquirers must give merchants 30 days’ notice of fee increases or new fees. The network also published a four-point best-practices guide regarding clear pricing and contract terms for merchants. “I think this really points up to the self-regulatory push by MasterCard,” Targan said, adding later: “So, I suggest you all go out and take a look at your merchant agreements.”
For its part, Visa in September published risk standards requiring acquirers to have written policies for the underwriting, monitoring and control of the third-party businesses they use, including background checks, according to Targan. “This really goes to the self-regulatory and hopefully [is] an indication to the government that the industry is regulating itself,” she said.
Jason Oxman, chief executive of the Washington, D.C.-based Electronic Transactions Association, the national acquiring-industry trade group, said major new federal legislation affecting the card industry is unlikely because government is too divided—Obama, a Democrat, is in the White House with Republicans now controlling Congress. “Short of simple stuff nothing is going to move forward,” Oxman said. But he added that widespread support exists for a federal breach-notification law as well as the legalization, in the name cyber-security, of certain information sharing that currently is illegal.
While not much may come out of Congress in the near term, the federal Consumer Financial Protection Bureau is mulling sweeping new rules for prepaid cards, and some states are considering regulations on virtual currency.