No one ever wishes for a data breach. But payments companies see a silver lining in the widespread publicity devoted to the holiday breaches at Target and Nieman Marcus.

The attacks could help ISOs raise awareness of payment security matters among small businesses owners.

Many of those merchants are finally paying attention, now that two major corporations—and millions of their customers—have fallen prey to hackers.

“The Target instance is a great platform to stand on and get this information out there. Because this is such a televised occurrence, retailers are seeing what’s going on,” says Rose Tarrant, compliance and risk officer for Signature Card Services, a Los Angeles-based ISO.

Persuading small businesses to comply with the Payment Card Industry data security standards can feel like translating a foreign language. For many mom-and-pop shops, PCI represents yet another set of technological terms they need to figure out to accept credit cards.

Smaller merchants also have a false sense of security. No one ever expects hackers to prey on lesser targets like the corner pizzeria, the neighborhood flower shop or the farmer’s market vendor accepting payments on his smartphone, says Rick Allen, PCI compliance director forPayPros Inc., an ISO based in Newark, Calif.

“Bad guys are just as interested in getting the goods on you as they are the larger targets that get all the notoriety,” Allen says.

Breaches among small to midsize merchants are increasing, according to the 2014 survey on The Acquirer’s Perspective on Level 4 Merchant PCI Compliance by ControlScan Inc. and the Merchant Acquirers’ Committee. The study indicates a 23% increase in survey respondents with a merchant breach in 2013, compared with the previous year. Of those respondents, 64% had more than one merchant breached.

Awareness of breaches is growing among small merchants, though. Of the small to medium-sized businesses surveyed, 69% indicated awareness of PCI in 2013, compared with 54% the previous year.

“It’s a great time for merchant service providers to capitalize on this awareness so that there’s more knowledge,” says Heather Foster, vice president of marketing for ControlScan.

In the payment industry’s alphabet soup, PCI can strike merchants as just one more hard-to-digest jumble of letters.

So who should bear the task of making PCI easier to swallow?

The commonly held belief in the industry is that ISOs make the most logical messengers because they have the greatest access to merchants.

Anush Amiryants, executive vice president of Signature Card Services, believes ISOs and the card brands are ultimately responsible, and he says they should collaborate to teach merchants about PCI. That entails translating the jargon of the PCI world into simple-to-understand layman’s terms, and spinning PCI stories merchants can relate to.

“We need to stop speaking cryptic PCI language to merchants and start using simple terms if we want to achieve PCI compliance,” she says. “Telling stories like Target and how relevant it is to them is a great start.”

Amiryants suggests that the card brands could develop a national advertising campaign or some other initiative geared toward merchants to explain in very simple terms how breaches can affect them.

“They’re big enough and powerful enough to collectively do some sort of educational campaign through national television and social media to educate merchants, not just cardholders,” she says.

PCI security vendors should share the responsibility for education, too, says Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based Smart Card Alliance. Merchants rely on their processors for much of the knowledge and technology they need to operate their business from a payments perspective. So the suppliers and contractors who manage or maintain merchants’ payments systems have a significant role to play, he says.

The management of the retail business is ultimately responsible for making sure that all possible security recommendations are followed, and that they’re keeping up with any new attacks and or threats, he says.

“This recent malware that impacted Target and Nieman Marcus could be software that didn’t exist six months to a year ago,” Vanderhoof says. Security systems intended to detect malware might not have even been able to recognize it, he notes.

An expanded version of this article is scheduled to appear in the March print edition of ISO&Agent and on

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry