MAC says more can be done to secure card data

The Merchant Acquirers Committee wants merchant acquirers and processors to invest more in card data security tools that can relieve merchants from the hassles of Payment Card Industry (PCI) Data Security Standard (DSS) and related security standards compliance. It could be good for business, MAC wrote in a new report. It also would make card payments safer and easier for merchants to accept.

According to The Impact of Breaches: A Survey of MAC Members on the Realities of Data Breaches, merchant PCI compliance is lower than most stakeholders are willing to admit. And it suggests that “the relatively low number of breaches and the small amount of fines assessed” provide acquirers and processors with “little incentive to quell breaches through proactive measures." Thus, they opt instead to either absorb losses or pass them on to merchants.

“Acquirers should take a more active role with the breach problem by investing in technology that protects merchants while they process payment data. Merchants may perceive this value-added service as a reason to continue their current processing relationship, and it could offer acquirers a competitive advantage,” wrote Dr. Branden R. Williams, a technology and information security consultant commissioned by MAC to query members about PCI compliance trends. Williams believes EMV (Europay, MasterCard and Visa) technology may be more readily accepted by merchants than PCI has been, “especially since enablement happens directly in the terminal,” he stated in an email exchange.

PCI compliance lagging

MAC is an organization of bankcard risk professionals; it counts members from over 500 firms, including processors, acquirers, banks, ISOs and the card brands. Approximately 20 percent of MAC’s membership participated in the survey, which addressed PCI compliance at all four merchant levels, according to the report.

Following are some of the study's key findings:

• PCI compliance rates remain below 70 percent across all merchant levels.
• Compliance among Level 4 merchants is lowest, at 39 percent.
• Breaches are an equal opportunity problem. “There is no one level more likely to be breached than another.”
• Breaches and the non-compliance fines associated with breaches are relatively small and localized. The survey results show “financial impacts of the breach problem do not appear to be as severe as perceived or advertised in the media and other surveys.” In fact, just 119 of the over 1.1 million merchants reviewed had been involved in breaches; just five reported more than one breach during the previous 12 months.
• Shopping trends indicate that “consumers do not significantly alter spending habits” relative to breached merchants, at least over the long term.

The report concluded that acquirers and processors aren’t doing much to push PCI compliance at the merchant level. One alternative is to “consider investing in tools that effectively remove the merchant from the need to address PCI DSS and charge a premium for these tools. Merchants may perceive this value-added service as a reason to continue their current processing relationship, and it could offer acquirers a competitive advantage,” the report stated.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.