Digital Transactions Authoritative, insightful and timely information for payments professionals
While the payments industry grapples with yet another rash of card-data breaches, independent sales organizations and other acquirers are reporting greater compliance among their small merchants with a key data-security standard.
n
Close to 60% of ISOs and other processors are reporting compliance rates of 40% or better among their portfolios of so-called Level 4 merchants, up about five percentage points from a year ago, according to a survey released by Atlanta-based security-solutions vendor ControlScan Inc. and the Merchant Acquirers’ Committee, a risk-management organization for ISOs and financial institutions.
n
The survey, conducted last fall, surveyed acquirers about compliance with the Payment Card Industry data-security standard (PCI) and other risk-management topics related to small merchants. Level 4 refers to merchants that process annually up to 1 million in-store card transactions or fewer than 20,000 online card transactions. Some 139 acquiring officials responded.
n
PCI compliance by small retailers is considered critical because, despite the headlines generated by the breaches at Target Corp. and other big merchants lately, most hacks occur at small merchants, which are seen as more vulnerable to attack and less focused on security.
n
Indeed, among acquirers responding to the ControlScan-MAC survey, some 37% reported at least one merchant breach in 2013, representing a 23% increase over the number that reported one or more breaches in a similar survey in 2012. Of those reporting a breach in the latest survey, nearly two-thirds said more than one portfolio merchant was attacked.
n
Perhaps reflecting this increased risk, ISOs and other respondents said risk reduction is now their biggest goal with PCI programs, displacing revenue generation, which was the number-one rationale for such programs last year.
n
The great majority of respondent (95%) offer some sort of program for their merchants to help them comply with PCI. But while compliance may be up, how acquirers administer these programs varies widely. Only 10% manage their programs in-house with proprietary technology. Fifty-six percent manage the program themselves but rely on outside technology, while 30% outsource their programs entirely.
n
More than half (54%) roll out their compliance programs to their entire portfolio at the same time, while only 11% segment their portfolio, focusing their programs on their riskiest merchants first before rolling it out to others. The latter approach allows acquirers to “significantly reduce business risk early in the rollout process,” according to the survey.
n
While acquirers may have lowered the priority for revenue generation, more levy fees for both compliance programs and for noncompliance, according to the survey. One-quarter now assess more than $100 per year for their compliance program, up from 16% in 2012. Meanwhile, nearly two-thirds now levy noncompliance fees, up from 60% in 2012 and 52% in the first survey in 2011.
