MOUNT SNOW, VT.–Merchants don’t understand the Payment Card Industry data security standards, and ISOs aren’t doing enough to help them comply with those rules.
At least that’s what a Chicago-based industry analyst told a packed conference room Feb. 1 at the Northeast Acquirers Association 2012 Winter Seminar and Outing.
The analyst, Joseph J. Zahaitis, of Zahaitis.com, based his observations on 19 years in the industry and an informal phone survey of 35 merchants and 30 to 40 card-service sales agents. Zahaitis and his crew also tried calling 60 ISOs and found only a handful willing to talk about PCI, he told ISO&Agent Weekly after his conference presentation.
“We weren’t creating charts but were trying to get a feel for what’s going on in the industry,” he says of the research.
Because ISOs seemed wary of talking about the subject, Zahaitis and his staff posed as merchants and called ISOs for help.
Typically, ISO receptionists seemed to have no idea what “PCI” meant and had no clue of how to route the calls. Calls were transferred to sales, customer support or other departments, and in almost every case help proved impossible to find.
Hence, Zahaitis offered several pieces of advice to his conference listeners, urging them to teach their staffs what “PCI” means, appoint and train someone to handle PCI inquiries, and make sure everyone on the staff knows where to direct questions.
During the phone survey, Zahaitis and his staff discovered most agents talk optimistically about complying with PCI but do almost nothing to make compliance a reality.
The agents are portraying PCI compliance in a favorable light, essentially offering a promise upon which they cannot deliver, Zahaitis says.
“They are speaking the party line,” he says, referring to politicians who adhere to ideology instead of taking action on their own.
The merchants report that they do not really understand the definition of PCI and that they cannot find help, Zahaitis say.
In may cases, when merchants search for assistance on an ISO’s website, they click on a link that lands them on the PCI Council home page.
Instead, ISOs should boil down the PCI standards and feed them to merchants in digestible bite-sized chunks, Zahaitis advises.
Merchants perceive vendors who help businesses comply with PCI as engaging in a “money grab” of escalating fees. And some merchants have seen their peers comply with PCI and still fall victim to breaches, leading them to conclude that PCI offers no real protection, Zahaitis says.
The acquiring industry has used the “stick” of fines for failing to comply and merchant liability in the event of a breach, when it should find a “carrot” to offer for complying with PCI, he contends.
Customer service that cuts through the confusion would be a start at correcting the situation, Zahaitis suggests.
After the talk, Zahaitis said he expected the crowd to “throw darts” at him for his comments or remain silent because they do not really care about PCI. The latter was the case, he concluded.