At a time when the payment card industry continues to struggle with the consequences of data breaches, the last thing acquirers and issuers need is a slowdown in merchant compliance with critical data-security rules. Yet that is what’s going on, warn the Merchant Acquirers Committee and ControlScan Inc. in survey results they jointly released Tuesday.
In an online survey conducted in November and December, 62% of acquirers, independent sales organizations, and payment facilitators said their merchants’ rate of compliance with the Payment Card Industry data-security standard had increased, leaving 38% indicating the rate had dropped or stayed the same. By contrast, three-quarters had indicated an increase a year earlier.
That’s a big concern, says a report presenting the latest results. “Decreasing or flatlining portfolio-compliance rates are a red flag for acquirers, indicating one or more PCI program issues that must be addressed,” the report says. Atlanta-based ControlScan, a security-systems vendor, and the MAC, a trade organization for acquirers, gathered 115 responses in the survey, which is conducted annually and concerns compliance by so-called Level 4 merchants, or small and mid-size sellers. The PCI standard has been in place for more than a decade and is seen as a key bulwark against card-data theft.
A big part of the problem is that too many merchants that once certified their compliance aren’t maintaining that status by revalidating in later years, according to the report. This factor, cited by some two-thirds of respondents who reported a lesser compliance rate, was unexpected. “Many ISOs and acquirers have succeeded in getting their merchants PCI-compliant to begin with, but we were surprised to learn that so many of those same merchants are falling back out of compliance,” said Chris Bucolo, director of market strategy at ControlScan, in a statement.
The two reasons for lapsing, says the report, are that merchants are unaware of the need to revalidate or that “they don’t want to go through the process again.”
Indeed, another factor depressing compliance rates, according to the survey respondents, is what they see as the increasing complexity of the self-assessment questionnaires used to maintain compliance. “More is being asked of the small and mid-sized merchant, and many don’t have the means to understand and integrate the requirements into their business,” says the report. “This is a perplexing issue for acquirers as well.”
Key methods to boost compliance rates, according to the report include setting goals for the rate within a portfolio and tracking progress, frequent communication with merchants, and partnering with independent software vendors (ISVs), the software integrators that wire merchants’ point-of-sale systems. Forty-nine percent of respondents say they are already working with ISVs, while another 13% say they intend to this year.
“Not only can [ISV partnerships] make it easier for the merchant to conduct business, they can also eliminate unnecessary hassle in the PCI-compliance process,” says the report.
The report, entitled “The Acquirer’s Perspective on Level 4 Merchant PCI Compliance,” is available here.