The acquiring industry may as well come to terms with the Payment Card Industry data security standards and make the best of it, security experts told ISO&Agent Weekly in response to requests for the hottest tips on the subject.
“PCI isn’t going to disappear,” says Sean Fuery, director of business development for SecurityMetrics Inc., the Orem, Utah–based payments security vendor. “It’s folly for ISOs to think they can wait things out or that it’s going to go away.”
The standards appear likely to remain in force for some time because the threat of fraud continues to grow, security mavens contend. They point out that criminals are looking to steal data from even the smallest retailers.
In fact, Greg Leos, vice president of payment partner programs for Trustwave, a Chicago based data-security and compliance-services provider, cautions ISOs avoid the trap of thinking criminals won’t bother hacking into the computer systems and payment terminals of small merchants.
Hackers are targeting small merchants whose casual approach to security makes their systems easier to breach than those of security-conscious larger retailers, sources agree.
After all, stealing a little card data from a lot of small merchants equals stealing all of the data from a single larger retailer. Likewise, a problem arises for ISOs because combining the liability of a large number of small merchants yields a large amount of potential risk.
“Typically, an ISO is on the hook if the merchant goes out of business,” Leos says, meaning the ISO may have to cover liabilities that typically add up to $40,000 or so for a breach at a small retailer.
With that kind of exposure threatening ISOs, it only makes sense to elevate security to the level of corporate culture, says Heather Foster, vice president of marketing for ControlScan Inc., an Alpharetta, Ga.-based provider of security services.
Instead of making PCI compliance a once-a-year “nuisance,” ISOs should promote a culture permeated with security and expose their merchants to that worldview, Foster says.
“Anybody in a merchant-facing role should be setting the tone” in a culture of security, she advises. “Everybody should know enough [about PCI and security] to respond well when merchants are asking.”
Concentrating on security not only safeguards merchants–and the ISO itself by association–but also strengthens bonds between the two entities, Foster says.
By showing concern for a merchant’s security, ISOs and agents become partners instead of just some outside profiteers imposing fees, she maintains.
Moreover, finding the right way to view PCI compliance can transform an ISO and benefit its merchants, according to Darrel Anderson, executive vice president of sales and client solutions for Jensen Beach, Fla.-based CSR, or Compliance Solutions and Resources.
ISOs should think of PCI as a product and a sales opportunity instead of dreading it as an operations hassle, Anderson says.
“Compliance is not an evil thing foisted upon us,” he maintains. “It generates revenue while it protects you and your merchant.”
Too many ISOs make PCI validation their focus instead of keeping security in mind, laments Fuery.
That thinking can lead ISOs or agents to complete a merchant’s PCI questionnaire, achieving the short-term goal of appearing to comply and perhaps ending fee assessments, notes Brandon Bronson, sales manager for Centernnial, Colo.-based PCI Compliance LLC.
But cheating on the questionnaire does nothing to enhance security, and it may shift the liability for a breach onto the ISO, Bronson says.
“I would say it’s rampant,” Bronson says of ISOs filling out merchants’ questionnaires. “My guess is 30% are answered partially or completely by the ISO. Those ISOs claiming 80% to 100%–that’s got to be baloney.”
But as part of that brighter outlook on security, ISOs can offer merchants advanced products and services, says Jeff Sawitke, senior vice president and chief product officer for Los Angeles-based Verifi Inc.
“Tokenization is definitely becoming the standard method of integration,” Sawitke says, adding that merchants now ask for tokenization and ISOs can require merchants to use it.
Besides protecting ISOs and merchants from breaches, tokenization can differentiate ISOs that offer it, he suggests.
With regulation and compliance requirements likely to become more stringent in the future, offering tokenization will becoming increasingly important, Sawitke predicts.
Even ISOs do their best to motivate merchants to comply with PCI and the retailers genuinely try to follow the rules, complying with PCI cannot guarantee a lifetime free of data breaches, says Fuery.
“But compliance gives the best chance of keeping out of harm’s way,” he maintains. “You’ve lifted them off that lowest hanging branch, and it’s that much more of a pain for hackers to go after them.”
Thieves target systems with obvious vulnerabilities, going after the data on sites with antiquated hardware or software, Fuery notes.
Besides offering advice on what to do and what to avoid with PCI, security specialists offered tips on choosing vendors.
When picking a provider remember that “you get what you pay for,” advises Trustwave’s Leos. He urges ISOs to choose companies with “full, robust” products and services.
Don’t settle for a company that fails to provide first-rate security just to justify charging merchants a fee for failing to comply with PCI, he advises.
Put security and the reduction of risk ahead of making a profit on fees, Leos advises. Remember that complying with PCI reduces the risk of a breach, he notes.
It also helps to choose an integrated security provider, says CSR’s Anderson. Having a single source for security simplifies billing and helps make a profit on supplying services to merchants, he maintains.
Make sure a vendor keeps security the primary focus of its work instead of concentrating on database management, advises Fuery of SecurityMetrics.
But most of all, forget the idea the PCI may recede into the background any time soon, Fuery advises. “It’s amazing how many are biding their time and hoping it will go away,” he says of PCI.