Acquirers should mention security to merchants more often. A lot more often–every time they make a sales call, field a complaint, explain a regulation, solve a technical problem, send an email message, mail a monthly statement or launch a direct-mail campaign.
“It should become part of every conversation,” says Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based consulting firm, and chief financial officer of the Merchant Acquirers’ Committee, a security-oriented association.
But reality differs from that ideal, according to the findings outlined in a recent study report “Benchmarking Level 4 Merchant PCI Compliance–The Acquirer’s Perspective.” The committee and ControlScan Inc., an Alpharetta, Ga.-based provider of security services, designed and conducted the research.
Instead of making security part of the culture of communication, acquirers bring up the subject an average of just four times per year with each client, says Heather Foster, ControlScan vice president of marketing, citing the study’s findings.
“I was quite surprised that in this day and age it was limited to four touch points,” Matt says.
Indeed, acquirers are doing “very little in terms of touch points,” Foster agrees.
ControlScan and the committee based the findings on responses from 146 banks, processors and independent sales organizations. The responding ISOs ranged from fewer than 1,000 merchant accounts to more than 50,000.
The two groups recently conducted the study for the first time and intend to repeat it annually to benchmark and track progress in making transactions more secure among Level 4 merchants. Visa defines Level 4 merchants as those accepting fewer than 20,000 Visa transactions annually.
ControlScan has surveyed merchants on security for three years (see story).
The new acquirers’ survey, completed in October, also indicates that acquirers that fail to broach the subject of security with merchants have a smaller percentage of merchants that comply with the Payment Card Industry data security standards, Foster says.
Acquirers with a low percentage of merchants that comply with PCI brought up the subject of security with their merchants an average of only four times annually, according to Foster.
By comparing survey answers from acquirers with a high percentage of merchant compliance with those with lower compliance rates, ControlScan and the committee established that statement inserts touting the benefits of PCI did not prove effective, Matt says.
Fewer than 12% of survey respondents are using Web seminars to teach merchants how to comply with PCI, much lower than the expected 24% to 50%, Matt says. “A shift in education needs to occur,” she maintains.
Acquirers also are taking a phased approach to emphasizing security to merchants, survey results indicate. Between 12% and 18% of respondents are emphasizing security to new Level 4 merchants but not to their established accounts, Foster says.
Noting improvement in that area, a survey performed 18 months ago probably would have found that 50% of acquirers were concentrating on security only with their new small merchants, Foster says.
“It’s a phased approach, a staggered plan,” she notes. “That’s why we see that number decreasing.”
Larger acquirers have been slower than their smaller competitors to contact established accounts, Foster says. “If you have 50,000 merchants, it’s harder to tackle all of them at once,” she says of the larger acquirers.
When those limitations arise because of the size of the job, it makes sense to set priorities based on individual merchants risk for breaches, Foster adds, noting that 17% of respondents have begun to segment their portfolios that way.
The survey also provided reassurances that the acquiring industry recognizes the importance of pushing security in their communications with merchants, Foster says. Some 70% of respondents agree that the PCI data security standards help prevent data breaches, she notes.
What do you think about this? Send us your feedback. Click Here.