ISOs eye health care, other verticals for PCI education

Register now

It's a big challenge to educate small merchants on the importance of data security, but many acquirers and ISOs are jumping at the opportunity to fill the role of educator.

In particular, ISOs are targeting specific markets for education on Payment Card Industry data security standards and other compliance needs.

"We are seeing a lot of them taking a new vertical approach, like focusing on the health care space," said Steve Robb, senior vice president of product for fraud prevention and PCI compliance management provider ControlScan.

Such a trend is bringing compliance frameworks together, as many companies now must pay close attention to HIPAA regulations as well as PCI-DSS standards, Robb said.

"There a lot of things needed to do to protect patient health information that are the same things needed to protect payment card data and comply to PCI," he added.

Acquirers and ISOs paying attention to industry trends also understand that doctors' patients want more payment options, a desire not lost on providers who are trying to expand payment acceptance capabilities.

But there are other arenas in which acquirers and ISOs will more readily bring solutions to the table. In many ways, the more aggressive moves into new verticals fall in line with the acquiring and ISO industry garnering far more knowledge and confidence in understanding and selling digital and mobile technologies.

Merchant services provider Cayan delivered another example of the trend last week with its acquisition of Card Payment Services LLC, giving it a foot in the door of the waste removal industry, which it cited as eager to shift to credit cards for payments.

"We're seeing special attention in the health care space, but we are also seeing a lot of it occurring in the legal space," Robb said. "Law firms haven't thought a lot about security in the past, but they have a lot of payment data and sensitive client data."

Acquirers and ISOs have a great opportunity to educate and deliver solutions to businesses in verticals not previously engaged in card or digital payments to build a long-term, sticky relationship, Robb added.

In that regard, the advancement into new verticals plays perfectly into the manner in which acquirers and ISOs have started presenting themselves — as a partner offering many more solutions and features beyond simply plugging in a point of sale terminal and processing payments.

While the focus has always been on the POS-driven sectors like hospitality and retail, it is not unusual to see ISOs and acquirers working with a vertical like parking.

"Operating parking lots sounds mundane, but when you start to look at it there is a tremendous amount of real estate spend and financial activity that goes on around that," Robb said. "Then there's the payments from remote locations that are sparsely staffed. We did some work with Ace Parking, and we are seeing others lining up."

This trend will be especially strong in the U.S. market, where consumers are increasingly turning to cards and digital payments, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.

"I think we’re seeing acquirers and processors entering verticals that had traditionally been more intensively check-based for their payments," Conroy said.

But any transition to cards or digital payments also attracts the attention of fraudsters, who see these verticals as easier targets because those companies are less fluent in data security.

"Most of the merchants whose payment volume is transitioning from check to card are small, and we all know that the organized crime rings love to target small merchants who are often less protected," Conroy added. "Their breaches are harder to detect through CPP [common point of purchase] analytics."

For Atlanta-based ControlScan, it means the mission to educate ISOs and their merchant clients about PCI compliance will have to cover even more bases.

The company introduced its new SecureEdge platform last week, a cloud-based PCI management tool that can be tailored to fit the program a particular ISO or acquirer is offering to clients.

"We can put their products right into the process and tailor the program around how those products work and how the merchants are using them," Robb said. "We are trying to simplify the process and get down to the truly relevant aspects of PCI for a particular acquirer's merchants."

ControlScan, like many other fraud prevention companies, continues to focus on the potential vulnerabilities of merchants' interactions with their vendors.

"There are a lot of a varying basic practices out there, with some just leaving remote access open to a network," Robb said. "Some just leave it available for the service providers to get in, rather than doing it in a more secure way."

For reprint and licensing requests for this article, click here.