It's revenue versus risk for Level 4 PCI compliance

One year after releasing a benchmark study on Level 4 merchant Payment Card Industry (PCI) Data Security Standard (DSS) compliance from the acquirers' perspective, ControlScan and the Merchant Acquirers' Committee issued an update: Risk and Revenue: Second Annual Survey of the Acquirer's Perspective on Level 4 Merchant PCI Compliance. The report explores major shifts in the process as PCI programs gain traction. In all, 123 banks, processors and ISOs with Level 4 merchant portfolios were surveyed for this year's report.

One obvious shift identified was the move toward revenue generation as opposed to risk mitigation as a primary goal of acquirer PCI compliance programs. The report also revealed that acquirers with organizationally supported PCI programs continue to achieve higher compliance rates and experience fewer breaches. Lack of perceived value combined with low merchant PCI compliance rates were perceived as the most significant barriers to an effective PCI program.

"Competitive pressures in the payments space impact how acquirers balance their merchants' needs with their own business need for a healthy bottom line," stated Joan Herbig, Chief Executive Officer of ControlScan. "Traditional merchant services are no longer as profitable as they once were, so we're seeing a conflict between risk and revenue play out in the way acquirers manage their PCI programs."

Susan Matt, Chief Financial Officer at MAC, added, "It's making sure that there's that fine balance between profit generation and risk mitigation, such that the risk does not exceed what they're making in the profit, and you're creating more problems than you are solutions."

Education paving the way

The survey showed that education continues to play a critical role in merchant PCI compliance. "I think most acquirers are communicating once merchants are boarded into their system," said Heather Foster, Vice President of Marketing at ControlScan. "But there is still a lot of work that has to be done before you board a merchant, so the merchant understands this is just a necessary part of business, and there are no surprises when they sign up."

As such, acquirers must continue to remind merchants that PCI compliance is an ongoing process. "They think it's a one-time thing and they don't have to do it again," Foster noted. "As you're approaching your communication plan for the year, you have to get them thinking about it in advance of the revalidation date." One suggestion offered was to create a PCI compliance click-through that allows merchants to view the PCI process when logging into the acquirer's portal.

Another suggestion for reducing risk without sacrificing profitability is to segment merchant portfolios. "What I'd like to see is a shift from dumping PCI out to your entire portfolio to a risk stratification concept, so that at a minimum you're focusing on getting those higher risk merchants [compliant]," Matt said.

The report also contains specific recommendations to help acquirers successfully engage their Level 4 merchants in the PCI compliance process. To view a copy of the free report, visit www.controlscan.com/whitepapers/acquirer_study_2013.php .

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.