Security: Are Small Merchants Finally Getting It?

Lauri Giesen

Despite years of effort by ISOs and acquirers, most small merchants still fail to meet the PCI security standards. But there are signs of hope.

If you look at the big picture, progress by independent sales organizations and other merchant acquirers in getting small merchants into compliance with the Payment Card Industry data-security standard (PCI) has been slow. But there have been instances of significant improvement when acquirers and technology companies work aggressively with merchants.

After almost eight years since the PCI rules first took effect, many mom-and-pop retailers still don’t understand the need to be compliant. Some still aren’t even aware of the rules, which many large merchants at first roundly criticized.

And those that have been told what steps are necessary to improve the security of their card-acceptance systems often resist taking the necessary actions.

A study of small, so-called Level 4 merchants late last year by Alpharetta, Ga.-based ControlScan Inc. found that just under half of the 603 retailer respondents were still unaware of the PCI standards. Additionally, 79% of the respondents said they believed their business had little-to-no risk of a security breach.

Even more alarming, only about 30% of respondents had validated their PCI compliance, although the numbers were higher (50%) for those merchants that were aware of the need.

By comparison, Visa Inc. said 90% or more of the biggest merchants, the so-called Level 1 and Level 2 merchants that generate at least 1 million Visa transactions a year, were validated as PCI-compliant as of last December. Just over half of Level 3 e-commerce merchants met the standards.

But Visa doesn’t give a number for compliance by Level 4 merchants, which number about 5 million. Instead, it terms compliance as “moderate,” with somewhat better rates for merchants with standalone payment terminals than those with integrated payment systems.

Ironically, lower-tech, comparatively slow point-of-sale terminals connected to land lines can be less vulnerable to data breaches than more modern, Internet-connected but improperly defended payment systems.

Visa defines as Level 4 those e-commerce businesses with less than 20,000 Visa transactions annually and other retailers with up to 1 million annual transactions.

‘Biggest Challenge’

Some payments executives say the number of data breaches at small businesses is growing at a time when large retail chains are thwarting computer hackers more often.

“We are seeing more breaches on our reports from small retailers and small general-hospitality companies. These companies do not have the security experience of the larger retailers and their focus is on the products they sell and services they provide, not on security,” says Robert Russo, general manager of the PCI Security Standards Council.

The Wakefield, Mass.-based PCI Council administers the PCI and related standards. An update of the main PCI standard is expected in November.

Indeed, Visa reported in 2011 that 97% of all reported U.S. payment card compromises originated with small merchants. Security violations at large merchants and payment processors get more attention because of the greater number of cards involved and the resulting fraud losses.

Today, just because small merchants account for such a disproportionate share of data breaches, payments companies are putting more of their PCI focus on Level 4 companies.

“Level 4 merchants have always been the biggest challenge for the entire payments industry. I am on the PCI board of advisors and we are spending a lot of time discussing Level 4 retailers at our board meetings,” says John Graham, vice president of global information assurance and risk for Atlanta-based First Data Corp., the nation’s largest merchant processor.

‘More Awareness’

But while the overall numbers can paint a bleak picture, acquirers, ISOs, and security-services providers operating in the trenches often tell a different story.

Many report significant increases in PCI compliance, especially if the ISO has been aggressive in motivating retailers, either by fining those that are not in compliance or by gently guiding them toward technology that makes their systems more secure.

Payments experts typically agree that success in getting retailers onboard with PCI often can be attributed to actions taken by ISOs, which sign most small merchants for card acceptance and frequently provide related hands-on services.

Also, technology companies that develop POS hardware and software can play an important role in educating and guiding small merchants.

“Retailers want to know what equipment and services are secure and they depend on someone else to show them the way,” says Russo. “The onus for compliance is on the retailers, but they need qualified systems integrators and resellers as well as ISOs to guide them.”

Education is usually the first step.

“Education is in our DNA,” says David Abouchar, senior director of product management for ControlScan. “If a retailer does not appreciate the need for compliance, they’re not going to take the next steps. Year after year, we have promoted education to elaborate on the need for retailers to understand the risks they face.”

And those ISOs that are aggressively working on PCI compliance say they are seeing a real difference, especially in awareness.

“We’re definitely seeing more awareness in the market,” says Ken Musante, president of Eureka, Calif.-based Eureka Payments LLC. “They know what needs to happen and they are not ignoring the message or being outwardly hostile when we talk about it.”

Musante attributes some of the greater awareness to more discussion of PCI issues in the trade press as well as at conferences and seminars.

“The most important thing is to get the information out, and they are paying more attention,” he says.

Vulnerability

Additionally, Musante believes smaller merchants now understand that they are vulnerable to data breaches when previously many thought that was something that only happened to big companies.

“We’ll never get to 100% awareness or compliance but we are getting close to a critical level of success,” he says. “And even if we cannot get to full compliance, we have made big inroads so that there is a much lower probability that data can be compromised.”

Musante says ISOs need to come up with priority lists of which merchants to approach based on their potential for problems.

“Retailers that use wireless routers or connect their card data through their POS systems are going to be more vulnerable than those who have a direct connection from a standalone terminal,” he says.

ControlScan’s Abouchar agrees that identifying the most vulnerable merchants is an important step.

“It’s the old rule that 20% of the retailers make up 80% of the risk. Retailers that are sending a few transactions from dial-up terminals are not seeing the same level of risk, and ISOs need to focus first on their riskier merchants.”

That said, Abouchar also warns that ISOs and technology companies need to make sure merchants are using the systems they say they are. Some retailers will claim they are not running payment data throughout an integrated POS system when in fact they are.

“Validate the systems that retailers are using and ask for a demonstration,” says Abouchar.

Fees for Noncompliance

Other ISOs also have seen significant increases in retailer compliance. Mike Cottrell, senior vice president of Bettendorf, Iowa-based TriSource Solutions LLC, says about 70% of the Level 4 retailers his company works with are PCI-compliant today, compared to about 25% to 30% two years ago.

“Five years ago, we made it mandatory for our e-commerce merchants to be compliant, and then a year ago we made compliance mandatory for all retailers,” Cottrell says.

At the same time, TriSource implemented stronger training programs for all the agents it worked with so that they could explain PCI to merchants and help guide them.

”Our agents work as consultants now, and the feedback we have gotten from our merchants shows they appreciate that,” Cottrell says.

Retailers that resist moving toward compliance initially face fines from TriSource of $20 to $30 per month. That amount escalates to $40 to $60 if they continue their resistance after several months.

Cottrell says some ISOs fear that noncompliance fees cause customer loss, but his firm has not seen much attrition due to the fees.

“We’ll refund the fees to retailers if they start to show progress in moving to compliance,” he says.

Setting the fee amount was a concern.

“We talked to other ISOs and they said the amount has to be enough that the retailer notices it. If you set it at say, $9, a lot of retailers will just pay the fee and then it becomes about increasing revenue and not about compliance,” Cottrell says.

TriSource is not the only company with such fees. Surveys from ControlScan have found about 60% of ISOs today have PCI fees that typically range from $11 to $25 per month.

Sermons About PCI

But while fees are a big factor in helping TriSource motivate retailers, improved technology has been the decisive factor for Boston-based Merchant Warehouse.

“We don’t do noncompliance fees. We think that is too heavy-handed. We prefer an approach that utilizes the carrot instead of the stick,” says Merchant Warehouse chief executive Henry Helgeson.

A POS solution offered by Merchant Warehouse that rests on its new Genius platform and sends data directly to the processor, bypassing other parts of the POS system, has been a big help in not only getting retailers PCI-compliant, but also in improving security overall, says Helgeson. The system also utilizes point-to-point data encryption.

Helgeson believes that retailers need to hear more practical messages about what they can do to improve their payment systems’ overall data security rather than just sermons about PCI.

“The message about PCI compliance does not always resonate with retailers,” Helgeson says. “Instead, you need to talk about best practices and really help them solve security problems. This isn’t just about PCI compliance. We want that, but what we’re really worried about is data breaches.”

In addition to getting retailers onboard with PCI and improved security, ISOs need to engage their various technology suppliers, or value-added resellers (VARs).

“You need to get the VARs engaged. If they’ve installed a system that is compliant, it is much easier for us to then work with the retailers,” Helgeson says.

The need for VAR engagement is why the PCI Council has spent a lot of time working to educate such companies. It lists certified VARs on its Web site.

“We can send information to retailers about PCI until we are blue in the face, but we can’t make them read it,” says Russo. Having a VAR that can explain what it all means in relationship to the merchant’s POS system is often more meaningful, he adds.

‘An Unnerving Experience’

And while the PCI Council does not have quantitative studies showing that more retailers are getting the message, Russo says he is hearing more discussion about PCI among small merchants, and that more retailers are asking, “Is it PCI-compliant?” when they install new equipment.

While that question alone isn’t enough, Russo notes that it is a good start.

Besides education, finding ways to make it easier for merchants to take the steps necessary to be in compliance also can be important.

First Data found one of the most difficult tasks for small retailers is conducting the required self-assessment. In some cases, merchants don’t even know exactly what components are involved in their payments systems or how to describe what they are doing.

As a result, First Data set up an online portal to help with the self-assessment questions. That portal provides the answers to some of the questions the merchant is asked, based on information First Data has collected. Since it introduced the portal, First Data says the compliance rate among its small-merchant clients increased by 30% to 40%.

“We have so much information about retailers that we can help guide them by providing them with information they need so they can give the correct response,” Graham says.

What had been a difficult process becomes easier, Graham says.

“We try to turn what could be an unnerving experience into a positive experience. We have found sometimes retailers don’t even understand the questions they are being asked in the assessment,” he says.

First Data also charges a fee to non-PCI-compliant merchants, but only in rare cases, Graham says.

“We use it as a motivator, not a revenue source,” he says. “The only times we will use a fee is if we see a retailer that has been told what to do month after month but is not making any progress.”

Securing Franchisees

Beyond ISOs, processors and technology companies, important sources of data-security information for small merchants are trade associations and the corporate headquarters of companies that franchise.

Indeed, franchisees of restaurant or retail chains often pose the most security risk, Russo says. Many operators had little retail experience when they started their businesses and they chose the franchisee route because they could rely on the head office for guidance.

But often, these franchisees don’t know how to set up a secure payment system and they make simple but costly mistakes, such as not changing the default password, Russo says.

As a result of this problem, the PCI Council has been working with big companies to push down information about PCI compliance and safe data-protection practices to their franchisees and local managers of corporate-run stores.

Russo notes, for example, that executives of McDonald’s Corp., a big franchiser, and Starbucks Corp., which owns most of its coffee shops, have served on PCI committees.

Overall, payments companies say newer merchants are often more secure and more likely to be PCI-compliant than older companies.

“Newer merchants are usually starting with newer technology that has more security than those with legacy uses. It is always better to start preventing fraud at the beginning than to have to go back and make upgrades,” says First Data’s Graham.

Also, e-commerce companies are better at PCI compliance than brick-and-mortar retailers because, in light of the comparatively risky nature of their businesses, they have been hit with the message earlier and harder, ControlScan’s Abouchar says.

Further, better technology is available to small retailers today than in past years. Systems that a few years ago were affordable only to large retailers have been adapted for the mass market.

“The cost of available security systems is much more affordable today than it has been in the past, especially if you compare the cost of the technology to noncompliance fees,” says Eureka Payments’ Musante.