Independent sales organizations are increasing their use of non-compliance fees for merchants that don’t adhere to PCI Security Standards Council requirements, with 23% of ISOs surveyed for the ControlScan/MAC 2020 Acquiring Trends Report saying they assess these fees. That’s up from the historic range of 17% to 18%.
The report, released Tuesday, is based on a survey last fall of 68 payments-industry professionals.
Only 26% reported compliance rates above 60%. It had been 42% in 2018. The reasons for the drop are multiple, but chief among them—with 50% citing it—is that merchants were initially compliant, but their annual validation lapsed. Another factor, at 20%, is the decreased frequency of communications about compliance. Other factors—at 10% each—include a change in PCI-compliance program partners, decrease or elimination of merchant education on compliance, decrease or elimination of noncompliance fees, and more complex compliance requirements.
“When combined with regular communications and educational content, scope-reducing technologies and related services are a powerful way to make life easier for the merchant,” said Chris Bucolo, ControlScan vice president of market strategy, in a statement. “It’s all about giving the merchant the tools and support they need to properly secure their business, without overburdening them.”
The survey data, which focused on payments providers serving small and mid-size merchants, also highlights that successful PCI-compliance programs are not set-and-forget, he says. “Running a successful PCI-compliance program requires regular reviews of metrics and trends so that corresponding adjustments can be made,” said Bucolo. “Like security technologies, there is no ‘set and forget’.”
Though PCI noncompliance fees have a role, of those that don’t charge these fees, many—77%—said they opt not to because of strategic and competitive purposes. Twenty-three percent say they don’t increase compliance rates.
Many ISOs try to motivate merchant compliance by using a third-party service provider, increasing merchant education, increasing the frequency of communication about compliance, and reducing or waiving PCI program fees for compliance, among others, according to the survey results.
Atlanta-based ControlScan and the Merchant Acquirers’ Committee, an association of payment-risk professionals, sponsored the survey.