Quantcast
ISO - Industry News

Retailer Breaches Harm ISOs, PCI Head Warns

Print
Email
Reprints
Twitter
LinkedIn
Facebook
Google+

The Payment Card Industry Data Security Standard is all about money — but increasingly, the question is whether it’s about protecting money or making money.

Acquirers working with small businesses recently stated that they view revenue-generation as a slightly more important aspect of PCI compliance than security, according to security vendor ControlScan’s recent survey.

“But it costs money to lose your business [because of a breach], too,” says Bob Russo, general manager for the PCI Security Standards Council. The council maintains the PCI standard and related guidelines.

The PCI standard’s value to security stands to improve this year, Russo says. “This is a year in which we establish new standards based on all of the feedback and work that has been done, and at the same time we have mobile payments [news] all over the place and EMV [smart card technology] coming to the U.S.”

The busy year ahead, plus a decrease in data breaches the past few years, shows that PCI “is working and has been working,” despite merchant concerns about the costs associated with compliance, Russo says.

“I can’t blame the acquirers [for viewing PCI as a revenue opportunity], because it costs money to be secure,” Russo adds. “But we are seeing a fraud migration to smaller merchants, and being PCI compliant is a shared responsibility between merchants and those selling equipment and applications.”

The PCI council will continue to push its message that data security calls for “people, a process and technology,” Russo says.

As such, the council is encouraging its more than 650 participating organizations to get involved this year in the upcoming advisory board election process, the new special interest groups that research assigned topics, as well as attending this year’s PCI community meetings.

The 2013 community meetings have been set for Sept. 24 to 26 in Las Vegas; Oct. 29 to 31 in Nice, France; and Nov. 20 in Malaysia.

The organization has work to do in educating small-business owners, Russo says.

“Small merchants have a lot of issues, primarily that they are not always in tune with data security,” Russo adds.

Small-business owners don’t always think of card data as a tangible asset they have stored at their business, Russo says. “A bike shop owner would lock his doors so that the bikes are not stolen, but he has to do the same with card data.”

PCI provides the information, as well as a list of PCI-certified security vendors, to make it easier for a small-business merchant to understand the need for standards compliance, Russo says.

“When you get the chance to explain the reasons for data security in person, like to a group of merchants, the light bulb goes off and they realize they have to do something,” Russo says.

Small merchants are becoming more aware of PCI, as compared to three years ago when most had no idea, say Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm.

“But I am seeing a shift in the past two years of merchants being taken out of the PCI equation because there are a lot of hosted services doing the compliance work for them,” Matt says.

Allowing experts to handle the compliance process has a down side in that merchants tend to “take their eye off data security a little bit,” she says.

The revenue benefit of PCI “is an acquirer thing,” Matt says. “There is a tradeoff, and merchants are generally happy to pay someone to keep them informed and educated about PCI compliance.”

Matt says she is not certain if it is a troubling or positive trend for small merchants, but she says many are now contemplating whether an insurance policy to cover damages from any potential data breach would be less expensive than ongoing PCI compliance.

 

SEE MORE IN

Written to help ISOs and agents make the most effective use of their time in the field, each issue is filled with strategies, selling tips & tactics, new market opportunities and other vital information for POS and ATM sales success. Sign up today >
Download the PDF
ISOs and agents are learning the power of merchant cash advances for differentiation, profit and retention. We explore that potential in this issue and also offer advice on whether to offer merchants an advance or a loan. Meanwhile, we look into vending machines as an opportunity for ISOs and conduct an inquiries into how ISOs and agents can nudge retailers toward data security. Last but not least, we urge ISOs to keep up with technology so that they can keep their clients informed.
Already a subscriber? Log in here
Please note you must now log in with your email address and password.