Acquirers may be wrong if they believe they can coerce small merchants into complying with security standards by charging them fees.
Some 52% of the acquirers responding to a recent survey said they charge fees to merchants that fail to comply with Payment Card Industry data security standards. And among those levying the fees, 80% believed the penalties nudge small merchants to abide by the rules.
But the results of a study released Jan. 9 by the Merchant Acquirers’ Committee, a security-oriented association, and ControlScan Inc., an Alpharetta, Ga.-based provider of security services, indicate the strategy does not always work.
If two or three months of noncompliance fees fail to convince a merchant to follow the PCI rules, the merchant becomes accustomed to the fines and becomes unlikely to change because of them, says Heather Foster, ControlScan vice president of marketing.
“It’s a short-term strategy to charge fees,” agrees Susan Matt, the committee’s chief financial officer and CEO of ThoughtKey Inc., an Atlanta-based consulting firm.
Those comments were supported by the study report “Benchmarking Level 4 Merchant PCI Compliance¬–The Acquirer’s Perspective,” which ControlScan and the committee completed in October.
The two groups conducted the study for the first time and intend to repeat it annually to benchmark and track progress in making transactions more secure among Level 4 merchants. Visa defines Level 4 merchants as those accepting fewer than 20,000 Visa transactions annually.
Survey responses came from 146 banks, processors and independent sales organizations. The responding ISOs ranged from having fewer than 1,000 merchant accounts to more than 50,000.
Some 75% of the acquirers that charge fees for failing to comply with PCI say they fine merchants between $11 and $25 per month, Foster says. Among those charging the fees, 59% begin the assessments only after an initial grace period of two to three months for new merchants, she says.
Acquirers may view the fees as a source of income, but funds collected that way probably fall short of covering the costs of breaches that might result from failing to comply with security standards, Foster says.
In other findings, the survey results support the widely held view that PCI compliance reduces the number of breaches merchants experience.
Among acquirers with less than 10% of their merchants in compliance, 100% had at least one breach in the previous 12 months, the survey data indicate. Raising the compliance rate to 11% to 25% cut in half the chances of having a breach in the previous year, reducing the likelihood to just 50%, according to the study.
Some 36% of acquirers with 41% to 60% compliance had retailers that experienced a breach in the previous 12 months, while 17% of those with more 61% compliance had merchants fall victim to a breach over a similar period, the survey data indicate.
In other findings, 61% of PCI programs have been in place for two years or less, and one-third of respondents said at least one of their merchants had a breach during the previous 12 months.
Although the committee and ControlScan surveyed acquirers on small-merchant compliance for the first time late last year, ControlScan has polled small merchants themselves three times.