Many who work in the ISO and acquiring business today likely have dealt with in some way the effects of a payment card data breach.
Often tens of thousands of new credit or debit cards are issued because of a compromise. And surely friends, family and acquaintances subsequently have talked about a breach, often revealing some discomfort with the idea of using their payment cards, especially online.
Simply put, cardholders want the security of knowing their cards are used solely with whom they intend to buy and for what they intend to buy.
The importance of security to the payment card industry is paramount. A secure system gives consumers, merchants and the acquiring industry a necessary comfort.
Even with a shared goal of security, ISOs and acquirers still encounter challenges convincing merchants of the need to ensure their payment systems comply with data-security measures from the Payment Card Industry Security Standards Council.
Low-cost PCI compliance programs can help. One ISO, American Payment Systems LLC, found that merchants balked at paying a small monthly fee-$7.95-to participate in a compliance program. When the company in January switched to an annual fee of $50, they became more willing to cooperate, says Steve Cartwright, the ISO's chief financial officer.
The change also appears to have stymied some competitors' arguments that merchants could avoid paying monthly fees by working with them instead because they did not assess such charges, he says. "That was continually in our merchants' faces," Cartwright says.
Other evidence suggests that the ISO and acquiring business has begun to take providing PCI-compliance service more seriously. Indeed, ISOs that offer services for merchants that address PCI compliance appear to have eclipsed the half-hearted measures of the past, says consultant Deana Rich with Rich Consulting. ISOs and acquirers understand that if merchants pay for a service, there should be tangible benefits, she says.
"About a year and a half ago, people were ignoring [compliance efforts]," Rich says. "But they charged for them anyway."
Today, the situation is much different, she says. "[Merchants] are paying a fee, but they are getting a service."
The intangible benefit may be an increasing comfort level to talk about security with merchants. That can help ease merchant concerns and help them to understand their role in securing payment networks.
Editor's Note from the September/October 2010 issue of ISO&Agent.