Acquirers and independent sales organizations can generate more revenue by closely studying what security levels their merchants need, according to a new survey.
Acquirers say their top goal with Payment Card Industry data security standards is to reduce merchants' risk from cardholder data compromises, according to ControlScan's third annual survey on acquirers' perspectives on PCI compliance for smaller merchants.
But acquirers that view compliance as a revenue source have opportunities to generate more by researching security services and merchant needs, says Susan Matt, CEO and founder of ThoughtKey Inc.
Matt joined Heather Foster, vice president of marketing for Atlanta-based security technology provider ControlScan, in a Jan. 30 online presentation to share the study's findings.
ControlScan surveyed nearly 140 companies, 53% of which were ISOs, between October and November of 2013 to gauge how they handle PCI compliance services and how their merchant clients incorporated those programs. The company names came from databases at ControlScan and Merchant Acquirers Committee.
About 48% of survey respondents said their PCI compliance revenue remained static in the past year. However, 42% cited an increase and only 10% a decrease.
Unlike in the past studies where acquirers rated revenue as a top priority for offering PCI compliance services, they have put risk reduction as a top goal this year.
That change likely came about because of recent data breaches and the fact that an improving economy has put less strain on acquirers' revenue streams, Matt says.
"But the reality is that there is still this treasure chest of additional revenue and it is tough to give that up," Matt says. "Resources may still be really constrained, so they can't really execute on the goal of targeting risk reduction while their revenue stream is in the same place."
However, if acquirers don't stay focused on the goal of reducing risk, they are likely to run into trouble with data breaches with their small merchant accounts, Matt adds.
About 29% of those surveyed say that 60% or more of their merchant clients are PCI compliant. Fifty-four percent of acquirers say their goal is to have 60% of merchants compliant.
"To get from where the program is now, to where they want it to be, shows that acquirers need to have a real focused approach on merchants at the highest risk," Matt says.
Acquirers should avoid a less-sophisticated approach in targeting their merchants and instead compile the necessary data to categorize them in risk-based segments, Matt adds.
"You can't just start throwing solutions out there," Matt says. "You have to get the data points together and then get the merchants what they really need."
The study reveals that about 35% of acquirers charge merchants from $71 to $100 a year to participate in a PCI program, while charging from $11 to $25 a month in noncompliance fees.
Eighty-two percent of acquirers say that imposing non-compliance fees prompted more merchants to achieve PCI compliance. Eighty-four percent said they imposed non-compliance fees either immediately or within three months after the merchant starts a PCI program.
The study shows that PCI compliance is maturing, ControlScan's Foster says.
In a separate ControlScan survey, small merchants' familiarity with PCI standards was at an all-time high with 69% saying they are familiar with the requirement, and 30% of those saying "very familiar."
Of those who say they are aware of PCI, 70% say they received PCI compliance validation in 2013, compared to 50% in 2012.
However, the overall compliance rate for all small to mid-size merchants surveyed in 2013 was just 40%.