Thursday , March 28, 2024

Where Are the ISOs?

Security

Linda Punch

Knowledge about the risk of a data breach is woeful among small merchants, as is understanding of PCI. ISOs could be doing more to help, and now there are signs that, finally, they are.

For most small merchants, the independent sales organization is their first, and usually only, contact with the payment card networks. The ISO’s task is to convince merchants of the benefits of card acceptance, sign them up with a bank, and educate them on the ins and outs of the systems, from how to handle chargebacks to risk management.

But ISOs appear to be falling short in one major area: helping small merchants understand the importance of the Payment Card Industry data-security standard (PCI) and how to adopt the best data-protection and fraud-prevention methods to achieve PCI compliance.

To be sure, understanding and complying with PCI is a challenge for any size merchant. With 12 major requirements and more than 200 sub-requirements addressing everything from technology to security practices, the standard is a complex document. The card networks and the PCI Security Standards Council, which administers the standard, have spent years educating payment-industry players and merchants about the data-security measure.

Those educational efforts have borne fruit with the largest merchants. Ninety-five percent of merchants that process more than 6 million Visa transactions annually—so called Level 1 merchants—are compliant with the standard, Visa Inc. reports.

But small merchants with fewer than 20,000 e-commerce transactions or 1 million transactions in annual volume—known as Level 4 merchants in card network parlance—remain largely non-compliant. At year-end 2010, Visa reported that compliance among the estimated 5 million to 6 million Level 4 merchant locations was “moderate.”

Devastating Aftermath

Furthermore, a recent industry survey found that a majority of the smallest merchants—so-called micro-merchants with fewer than 10 employees and less than 250,000 in annual transactions—were either “unsure” of the PCI standard or “not at all” familiar with it. Only 16% said they were “very familiar with the standard,” while the remainder said they were familiar with PCI to some degree.

The survey, conducted in August, was sponsored by Atlanta-based ControlScan, a PCI security vendor, and Merchant Warehouse, a Boston-based payments processor serving more than 80,000 small merchants. Responses from micro-merchants dominated the group by a ratio of 9 to 1.

Small merchants lack a comprehensive approach to PCI compliance, with data security just one of many issues vying for merchants’ attention, according to the report. Of the 299 total micro-merchants responding to a question about PCI compliance, 138 said “completing the paperwork” for PCI was the extent of their compliance efforts.

The survey also found that even though 53% of micro-merchants rated data security as a “high priority,” they lacked an understanding of the standard. Fifty-five percent said they were “unsure” (25%) about or “not at all” familiar (30%) with PCI. Of the remaining 45% who were familiar with PCI to some degree, 31% said they were “somewhat” familiar and only 14% said they were “very familiar.”

Micro-merchants also badly underrate their risk of data compromise. The majority (84%) saw their risk of data compromise to be low or non-existent, while 15% said they faced a “medium” level of risk, and 1% pegged their risk as “high.”

“A lot of them don’t even know what [PCI] is or what it’s for or they think it doesn’t apply to them because they’re a small business,” says Markiyan Malko, PCI compliance officer and program manager at Merchant Warehouse. “They don’t realize that around 90% of the breaches are actually [at] Level 4 merchants.”

Those numbers are especially alarming because Level 4 merchants represent only 32% of annual transactions processed, according to industry estimates. And while small breaches of small merchants typically involve fewer cardholder account numbers than attacks on larger merchants, the aftermath still can be devastating for the merchants, their acquirers, and their customers.

Also, hackers are sensing that small merchants’ defenses are less hardened, and so are now targeting them more often, Malko says.

Hit And Miss

There are many reasons why the majority of Level 4 merchants have yet to comply with the PCI standard, according to the ControlScan/Merchant Warehouse survey and other sources. But “the biggest thing we found was the merchant-compliance levels are pretty much in line with how much the ISO does to educate them,” Malko says.

There are some ISOs that basically “do nothing or charge [merchants] some sort of administrative fee, then really don’t help the merchant understand what [PCI] is or why they need it,” Malko says. “Those will obviously have a much lower percentage of merchants that are not only not compliant but don’t even know about PCI.”

The time and resources ISOs devote to helping their merchants understand and comply with the PCI standard vary widely. Many ISOs do the bare minimum while others develop tools and information to make the compliance process easier for their merchants.

“When most ISOs say they’re educating merchants [about PCI], it’s really just them throwing up a page on their Web site, a little one-page explanation of what it is,” Malko says. “Most merchants might get the gist of it but they’re not going to really understand what it is and why they need it and how critical it is for them.”

And some ISOs do little to help small merchants navigate the compliance process, beginning with filling out so-called self-assessment questionnaires (SAQs). SAQs are lengthy documents designed to be used as tools for merchants to determine if their operation has in place all the necessary data-protection measures and policies. Many of the questions deal with highly technical areas such as firewalls, vulnerability-management systems, and applications.

Some ISOs say “‘hey, here’s your SAQ. Give it your best shot,’” says Leslie Norris, executive vice president and operational executive of Panoptic Security, a Salt Lake City, Utah-based PCI-security firm. “We’ll submit what you’ve got and we’ll figure it out later.”

 Other ISOs, however, provide “serious online SAQ-based tools that really can provide a merchant with all the tools they need,” Norris says.

But the hit-and-miss approach of the ISO industry in working with merchants to achieve PCI compliance appears to be changing.

“The ISOs in the first quarter of 2011 are fully aware that what they were doing in the past with regards to PCI compliance was not sufficient or was not taken as seriously as it really has become,” Norris says.

Adds Malko: “ISOs are trying a little harder now to get merchants compliant.”

ISOs’ difficulties with helping merchants’ PCI compliance is “not for lack of interest,” but for lack of technical expertise, Norris says.

“They’re not QSAs (qualified security assessors), they’re not security pros, and they’re not IT professionals,” she says. “It’s been difficult for them to understand what they should be giving Level 4 merchants.”

ISOs instead should work with PCI-compliance providers to provide the technical expertise Level 4 merchants need to meet PCI requirements, Norris says.

“We are the security professionals, we are the folks that understand various security initiatives, including PCI DSS compliance,” she says. “The PCI Council and the payment brands have given us all the things we need to know to build the right PCI-compliance tool for these merchants to be implemented through the ISOs or agents.”

Panoptic, like some other compliance providers, has developed an online SAQ that is easier for Level 4 merchants to complete. The security firm has compiled information on point-of-sale processing systems that enables it to answer all the SAQ questions dealing with the technical side of a merchant’s system.

“That means 70% to 95% of that person’s SAQ process is done at log-in,” Norris says. “That’s a huge thing.”

But the SAQ is just the start. ISOs also need to offer easy-to-use tools, such as end-to-end encryption, to make merchants more secure, says Steve Elefant, chief information officer at processor Heartland Payment Systems.

Small merchants “oftentimes don’t know the difference between a firewall and a fire extinguisher,” he says. “You’ve got to provide things that are simple that they can do that are not going to upset their business processes.”

Many vendors are offering end-to-end encryption technology in the marketplace. Heartland is working with several large ISOs to license E3, its encryption technology for terminals.

 “ISOs are beginning to realize that they need to do more than simply provide PCI audits, that they need to help people become more secure,” Elefant says.

‘Tons of Information’

Sometimes the road to compliance begins with a one-on-one talk with a merchant about PCI, says Ken Musante, chief executive of Eureka, Calif.-based Eureka Payments.

“Merchants really don’t get it,” he says. “When you sit down and have the conversation with them, they instantly get it and wish to comply for the most part.”

In one case, Musante broached the subject of PCI when a merchant contacted him about a buying a piece of equipment.

“He said I want to purchase this device and I’m buying it on eBay, and this is what I want to do,” Musante says. “It was great that they called me before they purchased it because I said ‘if you do this, here are the additional questions you have to ask and here is the version you have to make sure you’re subscribing to. If you don’t, find out the costs for the upgrades because it’s going to be an added cost for you in purchasing that situation.”

Musante notes that the “merchant wasn’t calling me and asking for assistance in becoming PCI-compliant. The merchant was calling and asking for assistance in processing, not having any idea they had to worry about the PCI side of it.”

While some ISOs might balk at taking time to educate a merchant about PCI during a routine call, Musante says it just makes economic sense. “It’s good business and it attracts more business,” he says. “If I don’t do this, somebody else is just going to come along behind me, and once they explain to the merchant what they’re doing wrong, I’ve lost that account.”

And ISOs don’t have to become security experts or maintain a library of security information to be a source of PCI information to merchants, Musante says.

“There’s tons of information available online, so depending on what the merchant’s doing, you can easily send them the information that’s available online, produced either by your processor, Visa, MasterCard, or the PCI Council itself,” he says. “There’s no lack of information available.”

Getting on the Phone

Steering merchants to information about PCI compliance also is a strategy used by Merchant Warehouse, Malko says. As part of its compliance efforts, Merchant Warehouse does outreach programs such as e-mail campaigns and statement messaging.

 “Statements are the one thing merchants look at regularly to see their fees, so it’s a good place to put a little message,” he says. “We’re not even explaining everything. We’re just letting them know what it is and giving them a link to something more in detail.”

Merchant Warehouse also will follow up with calls to individual merchants to remind them to check the message. “We found that that e-mail can be overlooked and people will say, ‘I’ll put that off until later on,’” Malko says. “Whereas, if you get a phone call, typically you’ll check the e-mail and log on to the Web site to at least take a look at the portal.”

Indeed, making it easy for small merchants to find the information and resources they need is the key to increasing compliance in the Level 4 category, Malko says.

“Most of these guys are small businesses that have a couple of employees,” he says. “They don’t have time to sit there and do their homework on PCI. They have their business to run, employees to manage. It’s really about making it as easy as possible for that kind of one-stop shop for becoming compliant.”

Convincing small merchants that the threat of a data breach is very real also will go a long way towards increasing compliance, Malko says. “It’s really being more in-depth about how much risk they’re at,” Malko says. “If you tell a merchant that 90% of the breaches occur at small merchants like yourself that will probably have more weight than just saying PCI is mandatory, you need to do it.”

Check Also

Visa And Mastercard Agree to Merchant Rate Cuts and Acceptance Changes in a Major Settlement

Merchant lawsuits challenging credit card interchange and payment card network rules that began nearly two …

Leave a Reply

Digital Transactions