Some ISOs dont charge merchants a fee for helping them comply with the Payment Card Industry data security standards. Then there are the other ISOs.
Some charge merchants that comply, others charge merchants that fail to comply and a few charge both.
Exactly which fee structure works best remains unclear despite the recent high-profile data security breaches that are emphasizing the need for security measures, observers say.
Acquirers charge feesor notbased on whats best for their business model and their security objectives, says David Meyers, senior director of business development for SecurityMetrics of Orem, Utah.
If theres any trend, its that more banks are finding that some sort of funding is necessary to run a program that gets any results, Meyers says.
That funding covers costs for security assessments and compliance assistance as well as internal resources for acquirers, he says.
We would contend that our product and service makes that resource requirement less than what our competitors do, but its still there, he says. You need someone to run the program. I would say if you had a program of 50,000 MIDs [Merchant IDs], you might need two people internally to help run that and maybe a couple of call center people additional from what you might already have.
When it comes to covering those costs and creating incentives for compliance, no one fee structure is ideal.
In theory, non-compliance fees encourage merchants to comply so they can save money, but the fees may not accomplish that, says Cliff Gray, senior associate at The Strawhecker Group, a payments consulting firm based in Omaha, Neb.
Unless you charge exorbitantly, its not going to have the effect you want it to have, and by the time you charge that much, the merchants just going to move to a different ISO, he says.
ISOs charging non-compliance fees often claim the fee revenue goes into an account designated for use in case of a breach, Gray says.
But weve never seen any real evidence of that, he says.
Non-compliance fees can also reward acquirers for doing nothing to increase compliance.
You get this situation where a bank has a revenue stream, says Meyers. Their objective is not to increase the revenue stream but to increase compliance. When they increase compliance, the revenue stream goes down.
He and his colleagues have recommended to some acquirers that they consider charging merchants fees for doing things like storing card data, which could be checked with a scanning tool. Merchants that do store data or fail to run the scan would be charged a fee.
Thats something that could really decrease risk, because if youre not storing card data, even if youre breached, theres nothing to get, he says.
On the other hand, non-compliance fees can encourage merchants to comply, says Larry Bouchard, senior vice president of business development for Clearent, a processor based in Clayton, Mo. Clearent charges merchants nothing if they have demonstrated they comply but charges them $12.95 a month if they have not.
Revenue from non-compliance fees may appear initially attractive, he says, but it comes with risks.
I would question some of those people if theyve ever been involved in a good breach; that revenue theyve potentially earned through those fees gets eroded quickly, Bouchard says.
Clearent also tries to simplify the compliance verification process, he says, by making assessment questionnaires available on its merchant portal and by teaching merchants about PCI. Clearent prefers to minimize the potential impact of fraud by increasing compliance, which Bouchard believes saves the company money in the long run versus a more laissez-faire approach of fees without education and compliance tools.
Its more important to me to educate the merchant, and I think its the spirit and intent of PCI-DSS supported by the card associations, he says. I dont think Visa and MasterCard support it because they see it as a revenue source. They support it because of the severe impact of a breach or other data compromise.
ISOs and other players in the payments chain that do not work to help merchants comply are also putting themselves at risk, Bouchard says. Breached merchants may be unable to pay fines that come with a data compromise, potentially leaving ISOs responsible for paying them. Merchants that go out of business because of a data breach also stop providing the ISO with revenue.
Plus, when merchants ask why theyre being charged a non-compliance fee, Bouchard likes that he can point them to the questionnaire and explain that theyll stop being charged as soon as they demonstrate they comply with PCI.