Page 32 - gs140202flipbook
P. 32
Views
Insider's report on payments and how acquirers, ISOs and their partners can and should
do more to turn the situation around.
Leading the charge A report released earlier this month by the payment
security company ControlScan Inc. and the Merchant
on card data security Acquirers' Committee illustrates my point. Just 44 percent
of the merchant services providers surveyed said they
offer clients risk-reducing tools or services beyond just
By Patti Murphy providing access to the Payment Card Industry (PCI) Data
Security Standard (DSS) Self-Assessment Questionnaires
ProScribes Inc. and external vulnerability scanning.
t's time for the industry to get fully behind a card Among ISOs and acquirers that do offer additional services,
security regimen that benefits everyone in the pay- tokenization and point-to-point encryption are the most
ment stream: merchants, customers, issuers, acquir- common, the survey revealed. With tokenization, sensitive
I ers and the card brands, too. And the first step in cardholder information is masked with unique identifiers
that process should be an honest and open dialogue about for purposes of authorizing and completing transactions.
the vulnerabilities that exist and how they can best be con- Tokenization has emerged as a viable security option,
tained. especially when used in conjunction with encryption,
because it eliminates the possibility of merchants retaining
The urgency of the situation is being driven by news card account information. That, in turn, reduces merchants'
reports of breaches involving high-profile retailers, PCI compliance costs.
like Target Corp. and Neiman Marcus Group, as well as
spiraling costs – both social and financial. Some may balk at the notion of lowering merchant
compliance costs, as in many cases PCI compliance fees
The Ponemon Institute, a Michigan think tank that conducts contribute to bottom-line profits of ISOs and acquirers.
regular data security research, reported in 2013 that 60 But that's a short-term view of a long-term problem. And it
percent of the small and midsize businesses it surveyed doesn't bode well for merchant retention.
had experienced at least one data breach in the preceding
12 months; 51 percent said their businesses' reputations had "Today's threat environment challenges merchant service
been damaged as a result of those breaches. The average providers to take a fresh look at their PCI programs," said
cost of each of those breaches was $900,000, Ponemon noted. Heather Foster, Vice President of Marketing at ControlScan.
"Small merchants in particular need guidance in terms of
The online channel is especially vulnerable. A 2012 readily available technologies and services that reduce PCI
consumer survey by the Edelman Data Security and scope and support a strong security posture."
Privacy Group found the vast majority of consumers (84
percent) consider information privacy and security to be Susan Matt, Chief Executive Officer of payment consulting
very important when purchasing items online. Yet only firm ThoughtKey Inc., and a MAC member, said the survey
33 percent said they trusted online retailers to properly results point to significant opportunities for merchant
protect their personal information. acquirers and their sales partners. Among these are the
"ability to offer merchants risk-reducing tools as well as
Smaller is not safer justification for being more aggressive in charging non-
Not long after the initial news reports about the Target and compliance fees," Matt noted. And companies that "seize
Neiman Marcus breaches, I was shopping at a small store these opportunities will achieve greater risk reduction
and I found myself engaged in a conversation about card overall, gain revenue and ensure merchant retention," she
data breaches. "You know, it's a lot safer using your card at added.
a small shop like ours, because [cyber-criminals] don't even
know about us," the store manager said. Further findings from the ControlScan/MAC survey
suggest acquirers and their partners are making progress
I couldn't let that pass without comment. "Who is your toward greater PCI-compliance validation among small
acquirer?" I asked. merchants. For example, more companies are seeing
portfolio compliance rates that exceed 40 percent. On the
"Heartland," she responded. flip side, the survey revealed there has been a 23 percent
increase in the number of merchant breaches since 2012.
"Are you aware Heartland was breached a few years ago?"
The report contains results of ControlScan's latest poll of
She wasn't, and as it turned out, the store had a different acquirers' perspectives on PCI compliance. Titled Building
acquirer at the time, so it wasn't affected by that breach. Momentum: The Third Annual Survey of Acquirers' Perspectives
But the entire exchange got me to thinking about just how on Level 4 Merchant PCI Compliance, it also includes
uneducated many merchants are about card data security, recommendations for successfully engaging merchants in
the PCI compliance process. I've summarized those here,
32
32
32
Insider's report on payments and how acquirers, ISOs and their partners can and should
do more to turn the situation around.
Leading the charge A report released earlier this month by the payment
security company ControlScan Inc. and the Merchant
on card data security Acquirers' Committee illustrates my point. Just 44 percent
of the merchant services providers surveyed said they
offer clients risk-reducing tools or services beyond just
By Patti Murphy providing access to the Payment Card Industry (PCI) Data
Security Standard (DSS) Self-Assessment Questionnaires
ProScribes Inc. and external vulnerability scanning.
t's time for the industry to get fully behind a card Among ISOs and acquirers that do offer additional services,
security regimen that benefits everyone in the pay- tokenization and point-to-point encryption are the most
ment stream: merchants, customers, issuers, acquir- common, the survey revealed. With tokenization, sensitive
I ers and the card brands, too. And the first step in cardholder information is masked with unique identifiers
that process should be an honest and open dialogue about for purposes of authorizing and completing transactions.
the vulnerabilities that exist and how they can best be con- Tokenization has emerged as a viable security option,
tained. especially when used in conjunction with encryption,
because it eliminates the possibility of merchants retaining
The urgency of the situation is being driven by news card account information. That, in turn, reduces merchants'
reports of breaches involving high-profile retailers, PCI compliance costs.
like Target Corp. and Neiman Marcus Group, as well as
spiraling costs – both social and financial. Some may balk at the notion of lowering merchant
compliance costs, as in many cases PCI compliance fees
The Ponemon Institute, a Michigan think tank that conducts contribute to bottom-line profits of ISOs and acquirers.
regular data security research, reported in 2013 that 60 But that's a short-term view of a long-term problem. And it
percent of the small and midsize businesses it surveyed doesn't bode well for merchant retention.
had experienced at least one data breach in the preceding
12 months; 51 percent said their businesses' reputations had "Today's threat environment challenges merchant service
been damaged as a result of those breaches. The average providers to take a fresh look at their PCI programs," said
cost of each of those breaches was $900,000, Ponemon noted. Heather Foster, Vice President of Marketing at ControlScan.
"Small merchants in particular need guidance in terms of
The online channel is especially vulnerable. A 2012 readily available technologies and services that reduce PCI
consumer survey by the Edelman Data Security and scope and support a strong security posture."
Privacy Group found the vast majority of consumers (84
percent) consider information privacy and security to be Susan Matt, Chief Executive Officer of payment consulting
very important when purchasing items online. Yet only firm ThoughtKey Inc., and a MAC member, said the survey
33 percent said they trusted online retailers to properly results point to significant opportunities for merchant
protect their personal information. acquirers and their sales partners. Among these are the
"ability to offer merchants risk-reducing tools as well as
Smaller is not safer justification for being more aggressive in charging non-
Not long after the initial news reports about the Target and compliance fees," Matt noted. And companies that "seize
Neiman Marcus breaches, I was shopping at a small store these opportunities will achieve greater risk reduction
and I found myself engaged in a conversation about card overall, gain revenue and ensure merchant retention," she
data breaches. "You know, it's a lot safer using your card at added.
a small shop like ours, because [cyber-criminals] don't even
know about us," the store manager said. Further findings from the ControlScan/MAC survey
suggest acquirers and their partners are making progress
I couldn't let that pass without comment. "Who is your toward greater PCI-compliance validation among small
acquirer?" I asked. merchants. For example, more companies are seeing
portfolio compliance rates that exceed 40 percent. On the
"Heartland," she responded. flip side, the survey revealed there has been a 23 percent
increase in the number of merchant breaches since 2012.
"Are you aware Heartland was breached a few years ago?"
The report contains results of ControlScan's latest poll of
She wasn't, and as it turned out, the store had a different acquirers' perspectives on PCI compliance. Titled Building
acquirer at the time, so it wasn't affected by that breach. Momentum: The Third Annual Survey of Acquirers' Perspectives
But the entire exchange got me to thinking about just how on Level 4 Merchant PCI Compliance, it also includes
uneducated many merchants are about card data security, recommendations for successfully engaging merchants in
the PCI compliance process. I've summarized those here,
32
32
32
