learn more

Public Relations Blog


Our Public Relations Blog focuses on helping others to stay up-to-date
with the latest events and news in the merchant services industry

learn more

Why choose Merchant Service Provider?


Increase your sales if you currently do not accept credit cards, or lower your costs by
switching to us if you currently accept credit cards. Satisfaction 100% guaranteed.

PCI: The Right Way

October 6th, 2009

Share/Bookmark


PCI ComplianceExperts in the payment industry believe that lack of education and inactivity are the two biggest challenges when it comes to bringing Level 4 merchants into PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Most small and medium sized merchants are still perplexed in regards to the purpose and language of PCI compliance, despite efforts by ISOs and MLSs (Merchant Level Salespeople).

In order to rectify this situation, ControlScan Inc., a PCI security and solutions provider, The National Retail Federation, and PCI Knowledge Base, a research firm, released a report called What Small Merchants Know (And Don’t Know) About PCI Compliance. Level 4 merchants are those that process less than a million transactions annually, or 20,000 transactions annually for web based businesses. The report was based on a survey of 220 merchants that were classified as Level 4.

The founder of PCI Knowledge Base, David Taylor, says that since PCI DSS was introduced in 2005, awareness has increased by 86 percent; however, a lack of intelligence has hindered a large number from taking action and becoming PCI DSS certified.

According to Taylor, many people that he has spoken to don’t believe that PCI is worthwhile, and they don’t feel that just because you are PCI compliant you are secure against a data beach. Payment security organizations are getting frustrated because the level of action and knowledge they are seeing is minimal. Positive feelings don’t just appear because you’re aware of something, a fact that Taylor has acknowledged.

Based on the survey eighty five percent of breaches occur with small businesses and eighty one percent of businesses that are breached and are subject to PCI compliance, were not compliant at the time of the breach. Fines that occur when small businesses are breached are much higher than the cost of upgrading terminal systems and getting certified- $5,000.00 to $25,000.00 for every month of noncompliance!

All three organizations are offering the report on their websites at no charge. Determining the knowledge of merchants when it comes to acceptance and understanding, level of confidence in their PCI programs, risks associated with being breached, and money spent on compliance were the surveys main goal.

The Vice President of Marketing for ControlScan, Heather Varian Foster, voices her concern by saying “My main worry is that these merchants think that they know more than they really do… they view PCI and security very high, but they don’t see how much risk they face, and that’s the dichotomy. And certainly through our partnership with the NRF and PCI Knowledge Base we are working to help educate all those involved.”

Heather goes on to say that by merchants expressing their thoughts on PCI compliance, it means that they are willingly opening the doors for PCI services and products. She states “Most Level 4 merchants’ compliance rates are very low, so I think this is huge progress and something we can use as a platform to help them fine tune what they need to know and provide better service and instruction as an industry to keep them from being a statistic.’ She believes that the merchants are asking for assistance and guidance in securing their businesses without it being too much to handle.

Helping merchants complete the Security Assessment Questionnaire and explaining the requirements in terms that are easily understood, for knowledge of what PCI compliance entrails, can give way to ISOs and MLSs to take initiative in administering PCI compliance programs, according to Heather Foster. Merchants want to be informed, but they want their service providers to be their #1 resource.

Foster goes on about PCI education by saying “There really has to be specific training, so that what we’ve done through this partnership is to really drill down and target a focused education program so those ISOs and acquirers can position their PCI service as a value that ties to that level of support and have the opportunity to really distinguish themselves.”

As part of their product development process, many ISOs are starting to include PCI. Getting PCI beyond the check-the-box approach may be a challenge, but there are certainly ways to do it. The process has been made as simple as possible with the help of the NRF and PCI Knowledge Base.