More independent sales organizations are using fees to force merchants to take Payment Card Industry security standard compliance seriously.
"About 30% to 60% of most ISOs' merchants comply with PCI, and probably 30% is more common than 60%," says Mark Dunn, president of Field Guide Enterprises LLC, a consulting firm in Heartland, Wis. Many merchants "think of PCI compliance as a paperwork requirement a lot of merchants start the process but never complete it because they get hung up of the self-assessment questionnaire."
Non-compliance fees emerged about two and a half years ago as a way for ISOs to take a stick approach with merchants, he says.
The requirements in general are not that onerous, Dunn says. Merchants only need to fill out the self-assessment and get their website scanned for vulnerabilities. However, merchants give up on the questionnaire if an outside company or the ISO itself isnt helping them understand the questions, he says. Most ISOs rely on vendors to help merchants get through the compliance process.
ISOs charge merchants between $19 and $25 a month for non-compliance, says Dunn. When a merchant notices the fees, it usually calls the ISO, which then explains what's required to become compliant. While there's still a cost for keeping up with PCI compliance, those fees are about $7 per month or between $79 and $85 a year, Dunn says.
"An ISO has to be able to show that they're proactively taking steps to get their small to medium-sized merchants to comply with PCI requirements," Dunn says. "ISOs want their merchants to comply because it's less risky."
While non-compliance fees could be a disincentive for ISOs to make sure its merchants are compliant, an ISO's portfolio is worth less if a majority of its income is based on the fees, says Linda Grimm, executive vice president of operations for Global Electronic Technology, an ISO.
"Charging fees is like an insurance policy," Grimm says. "If a merchant is compromised and can't pay the fees, an ISO has priced its portfolio properly to take care of it."
Usually the focus starts on e-commerce merchants, whose websites pose more of a risk than brick and mortar merchants that use terminals, Dunn says.
But soon, many merchants will be shifting their point of sale terminals to ones that support EMV-chip cards to meet an October 2015 deadline set by the card networks. If merchants miss that deadline, they become liable for EMV-card fraud.
The card brands have also created a program that allows some merchants to be excluded from validating their PCI compliance annually, but these merchants must meet specific criteria, Grimm says. They must use EMV-enabled terminals, being a face-to-face retailer, validating PCI compliance in the previous 12 months, confirming that they're not storing authentication or over sensitive customer data, verifying they haven't ever been breached and having 75% of total transactions originate from the EMV cards, she says.
"There's a misconception that EMV will make PCI go away and that's simply not true," Grimm says. "Only a select few merchants will be eligible to stop validating compliance every year the program is really designed for large big box merchants," who must still be compliant, she says.
Most merchants being helped by ISOs are small to medium-sized and won't qualify for the program, she says.
"ISOs, in an effort to differentiate themselves, can use PCI and other compliance-based solutions to help their merchants [after the U.S. migrates to EMV] and solve problems for them," Grimm says.