Acquirers consider the Payment Card Industry data security standards slightly more important as a source of revenue than as an approach to security, new survey data indicates.
That balance between revenue and security shifted in the last year, according to the second annual study of small-merchant security from an acquirer's perspective. The study was conducted by ControlScan, a security-services vendor, and the Merchant Acquirers' Committee, an association of risk executives.
Asked to rank their reasons for complying with PCI standards, acquirers ranked "generating revenue" as No. 1, followed, in descending order, by "meeting card-brand requirements," "achieving a high compliance rate" and "reducing risk," says Heather Foster, ControlScan's vice president of marketing.
"Even when we broke it out by type of business, whether it be bank, ISO or processor, they all placed ['additional revenue' at] No. 1," she says.
However, the four choices in the survey all polled about the same, Foster says. The company assigned weighted values to acquirers' rankings and couldn't translate those numbers into percentages, she notes.
In an unusual twist, the order of the ranking for the four responses was the exact opposite of last year's findings, Foster says.
But the survey's other findings mitigate the reversal, she maintains.
"You'd like to see them rate risk higher, but at least they're doing other things within their organizations to have a more effective program," Foster says. "You didn't see a backslide in any of their other responses."
PCI compliance rate remained about the same for merchants that work with the acquirers that responded to the survey, with most within a "medium" range of 26% to 40% compliance, she says.
Some 33% of respondents report greater than 61% compliance, about three percentage points higher than last year, Foster notes.
Acquirers responding to the survey were using an average of more than four channels to alert merchants to PCI, she says. The top four channels, in descending order of popularity, are statement inserts, email, welcome statements and outbound phone calls.
The survey also indicates that acquirers with high compliance rates don't use more channels than their lower-achieving peers. That points to the importance of communicating effectively in any medium and having staff members ready to help, Foster maintains.
"Communicating early and often is really good because (PCI) is not something merchants instinctively feel they need to do," she advises. "But it's really important that the quality of the communication is there, too."
Some 80% of respondents say they believe PCI prevents data breaches, and 56% are convinced merchants value PCI, Foster says. However, among acquirers with low compliance rates, only 20% say they believe their merchants appreciate PCI, she adds.
For the first time, researchers asked acquirers this year if they offer breach protection to merchants, Foster says. Some 60% are offering it, she notes, both to protect merchants and to raise their own revenue.
The October survey involved 123 banks, processors and ISOs with Level 4 merchant portfolios ranging from fewer than 1,000 to accounts to more than 50,000.