PCI DSS was set up to help secure businesses process card payments and fight fraud. Robust controls are designed to protect the storage, transmission, and processing of cardholder data that businesses handle. Merchants that fail to comply with the standard can attract non-compliance fines and may see their relationship with their acquirer terminated, which, in turn, leaves them unable to accept card payments.
Acquiring banks are obliged to take a tough stance on PCI DSS compliance. This is because fraudsters target weak links in the payment chain to steal payment data (card numbers and card security codes) and customers’ personal information, such as names, addresses, phone numbers, email addresses, and dates of birth.
If and when a data compromise occurs, fines associated with non-compliance can reach hundreds of thousands of pounds; many non-compliant merchants have ceased trading because the fines could not be accommodated. This is in addition to the significant harm caused by associated reputational damage, so is it any wonder that the PCI Security Standards Council refers to surveys suggesting that 60% of small and medium businesses closed within six months of a payment data breach?
While penalties for PCI DSS non-compliance are on a more modest scale, they are a not-inconsiderable source of revenue for acquirers – although this is not a sustainable long-term revenue stream.
Overcoming barriers to compliance
We know that merchants want to comply with PCI DSS and recognize the value of increasing customer confidence in the security of their transactions. However, merchants face several challenges, most notably:
- Time and resources: SMBs understand the importance of cybersecurity, but it gets pushed down the list of priorities by the day-to-day tasks necessary to keep the business running.
- Technical requirements: The compliance process can be complex, and the vast majority of merchants don’t have in-house IT staff with the required technical skills.
Many companies offer security products for SMBs but not the management of those tools. Acquirers using a managed service for PCI DSS compliance can give their merchants access to a service that costs less than most fines for non-compliance while boosting all aspects of the business’s security, from firewalls to anti-virus protection. It’s a win-win.
SMBs want to be compliant but don’t always know what they need and often feel overwhelmed by the process. This isn’t surprising: merchants want to focus on selling their products and services, knowing that effective security requirements are being delivered for them at a cost they can afford while ensuring compliance with standards that keep their customers secure.
Giving merchants greater choice for PCI DSS compliance and cybersecurity is an attractive proposition for acquirers. Acquirers, like Elavon, have recently migrated hundreds of thousands of merchants to a managed-service platform enabling their merchant customers to complete their compliance on a self-serve basis or allowing expert agents to manage data security and compliance on their behalf.
Improved customer insight
As well as generating revenue from security tools that enhance their customers’ cybersecurity, acquirers also gain a greater understanding of where the risk lies within their customer base, enabling them to take steps to address that risk.
The industry hasn’t done enough to help small business merchants with their security issues. In the past, security solutions have focused on a portfolio subset such as e-commerce rather than providing a holistic solution.
As a result, many merchants are paying non-compliance fees rather than addressing shortcomings in their security protocols. This is absurd when managed services provide a unique opportunity for acquirers to retain key relationships with merchants while helping them keep customers and build loyalty. It is the shared responsibility of the industry to ensure compliance can be met affordably and without leaving chinks in the armory of businesses, no matter their size.
Keep reading
Prove Identity has launched a free Developer Portal for engineers to test out the Prove Pre-Fill® solution, which streamlines the customer onboarding process while preventing fraud.
PYMNTS interviewed Prove CMO Brad Rosenfeld for the most recent episode of, “What’s Next in Payments,”
Miller was the featured guest on InfoRisk Today, where she explained some of these rising threats and the corresponding need for better, more rigorous identity verification strategies.