How ISOs Are Tackling the Knotty Issue of Level 4 PCI Compliance

Bringing small merchants into compliance with the Payment Card Industry data-security standard, or PCI, is no easy task, according to independent sales organization executives that have started PCI programs for so-called Level 4 merchants. “You call up Billy's Pizza and ask him about his firewall, and he's not going to know what you're talking about,” says Henry Helgeson, president of Merchant Warehouse, a Boston-based ISO. Helgeson was one of several ISO executives on a “PCI Fundamentals for the Small Merchant” panel at the ETA Compliance Day conference held Nov. 12 in Chicago. The Electronic Transactions Association, the merchant-acquiring trade group, sponsored the event. Level 4 merchants submit up to 1 million Visa card transactions annually. Numbering more than 5 million, they account for more than 99% of all Visa merchants but collectively generate only 32% of the network's volume. There are no hard statistics about how many of the Level 4 merchants meet the PCI standards. Experts have estimated the number at below 10%. The latest numbers from Visa Inc., as of Sept. 30, say Level 4 compliance is “moderate,” though Visa doesn't quantify the term. Compliance is lower among merchants using integrated payment applications. Small merchants still using dial-up terminals face fewer PCI issues than those whose systems connect to the Internet. Virtually all ISO and acquirer PCI programs for Level 4 merchants involve education through statement inserts, newsletters, e-mail reminders, Webinars, and the like. But each processor also employs its own carrots and sometimes sticks, usually in the form of fees and fines. (After a data breach, fines typically originate with the network and are assessed to the acquirer, which passes them on to the ISO servicing the offending merchant, which ultimately gets the bill.) Mike Cottrell, vice president of business development for TriSource Solutions LLC, a Bettendorf, Iowa-based ISO with 20,000 merchants, says his company once thought PCI was an issue only for e-commerce merchants. But TriSource got serious about Level 4 compliance after three or four of its retailers suffered data breaches. The breaches resulted in more than $500,000 in fines, not all of which TriSource could pass on. “A couple [of merchants] went out of business,” Cottrell said. TriSource made PCI compliance mandatory last year. The ISO uses Atlanta-based security services firm ControlScan Inc. as its PCI vendor. Besides merchant education, a big part of the program involves getting the third-party agents TriSource uses on board by giving them a financial incentive through a cut of the fees merchants pay to access ControlScan's services, according to Cottrell. TriSource's so-called buy rate for agents is about $12, and the typical merchant PCI fee is $13.99, though agents can charge more. After 18 months, TriSource's PCI compliance rate is 27% for the e-commerce and physical merchants initially targeted. Another 12% are on their way to compliance. At Merchant Warehouse, Level 4 compliance efforts started about a year ago with “a soft approach” that included statement messages and other materials aimed at the riskiest of the ISO's 80,000 merchants, according to Helgeson. Merchant Warehouse had “some nasty surprises” with merchants storing card data prohibited by the PCI rules, especially by franchised businesses. “We saw this on the horizon for quite a while,” Helgeson says. Merchant Warehouse e-mailed its target merchants a link to a ControlScan site where they could log in and take a PCI self-assessment questionnaire, or SAQ. Merchant Warehouse would waive the $59 annual fee for ControlScan's scans throughout the year and SAQ processing after merchants called to confirm they had set up the compliance process with ControlScan. But only 40% of the targeted merchants responded. “Unfortunately, I don't think the carrot really worked this year,” Helgeson told the audience. Helgeson tells Digital Transactions News that he's working on other ideas to motivate merchants, though he won't give specifics yet. “We think it's going to happen over time,” he says. “I think it's going to be an educational process. We're not giving up on them.” Visa's Sept. 30 report says 97% of the estimated 352 U.S. Level 1 merchants are PCI compliant, and 99% do not store data prohibited by the PCI standards. Level 1 merchants submit more than 6 million Visa transactions annually and account for 50% of Visa transactions. Some 94% of the 895 Level 2 merchants, those submitting 1 million to 6 million Visa transactions and accounting for 13% of volume, are PCI compliant, and 99% don't store prohibited data. They account for 13% of Visa transactions. The 2,482 Level 3 merchants, e-commerce merchants that generate 20,000 to 1 million annual Visa transactions, generate less than 5% of Visa volume, and like Level 4 merchants, have a “moderate” level of PCI compliance. Figures about the Level 3 merchants' storage of prohibited data were unavailable. Some 97% of the 78 processors with direct access to Visa's VisaNet network are PCI compliant, and a “high” number, again undefined, are confirmed that they do not store prohibited data. The 906 agent, or downstream, processors have an 82% PCI compliance rate, with a high number not storing prohibited data.