PCI for Small Merchants Gives Rise to Headaches, Opportunities

Ask most acquirers and independent sales organizations what keeps them up at night, and at or near the top of the list is the job of getting their smaller merchants to comply with the Payment Card Industry data-security standard (PCI). The security requirement, whose detailed mandates even larger merchants find onerous, “is now being pushed down to the Mom-and-Pop level,” says Rick Pylant, president and chairman of CoCard Marketing Group LLC, a Nashville, Tenn.-based ISO. “It worries me for attrition.” Pylant argues many small merchants will conclude the effort and cost to comply with PCI isn't worth it and will simply stop accepting cards. “It's going to knock a lot of borderline merchants off [the acceptance rolls],” he says. “[They are] going to see what it takes to be PCI-compliant and say, 'Forget it.'” The card networks, he says, could see a net decline in volume from small merchants. “It could cost them some penetration, some acceptance,” he says. At the same time, he says, the effort to reach small merchants to educate them about PCI, which incorporates a dozen main requirements for protecting card data and scores of subrequirements, is difficult and costly for the ISO, Pylant says. “It's going to take a lot of time out of my sales [efforts] to explain all this,” he notes. Smaller merchants fall into what the card networks call the Level 4 group, or those merchants processing fewer than 20,000 e-commerce transactions or 1 million total transactions in volume annually. There are about 6 million locations that fall into this category. In September, data-security auditing firm Trustwave reported that Level 4 merchants had accounted for fully 90% of more than 400 data compromises it had investigated in more than 20 countries (Digital Transactions News, Oct. 1, 2008). In 2007, the card networks began pushing acquiring members?and, by extension, ISOs and other resellers–to show how their Level 4 merchants are working toward PCI compliance. And as of last fall Visa began requiring that new small merchants could not be booked unless they were PCI-compliant or used software compliant with Payment Application data-security standards (PA-DSS). The concerns of ISO executives like Pylant are creating opportunities for software developers. One company, Panoptic Security Inc., has created a host-based expert system that automates the task of filling out a so-called self-assessment questionnaire (SAQ), the foundation document for PCI compliance and a major stumbling block for small proprietors. The software takes over as much of the chore as possible once users have entered some basic data about their systems, says Tim Cranny, a mathematician who founded Salt Lake City-based Panoptic and serves as its chief executive. At the end of a session, the system prints out a completed SAQ along with detailed instructions on what the merchant needs to do to shore up security, how to do it, and when. “You don't have to be a security geek,” Cranny says. “We do it for you.” The 2-year-old company now has “thousands” of merchants using its system, with “tens of thousands” under contract, Cranny says. “It's real working technology,” he says. “We've seen strong growth and strong traction already.” Merchants pay anywhere from $6 to $8 per month to subscribe to the service. ISOs that work with the company to sign merchants for the service can earn up to half that revenue, the company says. Even CoCard's Pylant says there is an upside to all the work and hand-holding involved in explaining PCI to small merchants. “I think the relationships will be better afterwards,” he notes.