The Payment Card Industry Data Security Standard is all about money — but increasingly, the question is whether it’s about protecting money or making money.
Acquirers working with small businesses recently stated that they view revenue-generation as a slightly more important aspect of PCI compliance than security, according to security vendor ControlScan’s recent survey.
“But it costs money to lose your business [because of a breach], too,” says Bob Russo, general manager for the PCI Security Standards Council. The council maintains the PCI standard and related guidelines.
The PCI standard’s value to security stands to improve this year, Russo says. “This is a year in which we establish new standards based on all of the feedback and work that has been done, and at the same time we have mobile payments [news] all over the place and EMV [smart card technology] coming to the U.S.”
The busy year ahead, plus a decrease in data breaches the past few years, shows that PCI “is working and has been working,” despite merchant concerns about the costs associated with compliance, Russo says.
“I can’t blame the acquirers [for viewing PCI as a revenue opportunity], because it costs money to be secure,” Russo adds. “But we are seeing a fraud migration to smaller merchants, and being PCI compliant is a shared responsibility between merchants and those selling equipment and applications.”
The PCI council will continue to push its message that data security calls for “people, a process and technology,” Russo says.
As such, the council is encouraging its more than 650 participating organizations to get involved this year in the upcoming advisory board election process, the new special interest groups that research assigned topics, as well as attending this year’s PCI community meetings.
The 2013 community meetings have been set for Sept. 24 to 26 in Las Vegas; Oct. 29 to 31 in Nice, France; and Nov. 20 in Malaysia.
The organization has work to do in educating small-business owners, Russo says.
“Small merchants have a lot of issues, primarily that they are not always in tune with data security,” Russo adds.
Small-business owners don’t always think of card data as a tangible asset they have stored at their business, Russo says. “A bike shop owner would lock his doors so that the bikes are not stolen, but he has to do the same with card data.”
PCI provides the information, as well as a list of PCI-certified security vendors, to make it easier for a small-business merchant to understand the need for standards compliance, Russo says.
“When you get the chance to explain the reasons for data security in person, like to a group of merchants, the light bulb goes off and they realize they have to do something,” Russo says.
Small merchants are becoming more aware of PCI, as compared to three years ago when most had no idea, say Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm.
“But I am seeing a shift in the past two years of merchants being taken out of the PCI equation because there are a lot of hosted services doing the compliance work for them,” Matt says.
Allowing experts to handle the compliance process has a down side in that merchants tend to “take their eye off data security a little bit,” she says.
The revenue benefit of PCI “is an acquirer thing,” Matt says. “There is a tradeoff, and merchants are generally happy to pay someone to keep them informed and educated about PCI compliance.”
Matt says she is not certain if it is a troubling or positive trend for small merchants, but she says many are now contemplating whether an insurance policy to cover damages from any potential data breach would be less expensive than ongoing PCI compliance.