Page 30 - GS201201
P. 30
Education
PI dwarfs PCI The scan of the merchant's website should identify any
vulnerabilities in the website's programming that might
allow access to payment card data. Some ISOs also include
a very basic breech insurance policy.
The point is that PCI's aims are limited. And the program
that most ISOs deliver doesn't do very much for the money
they get from the merchant.
PI is enormous
PI is the big leagues of data compliance. To stretch the
sports analogy a little further, we might think of PCI as
only the first quarter of a four-quarter game called PI.
Today, the elements of PCI are considered a subset of the
broader issue of PI. PI is information that can be used
to potentially identify an individual. PI is regulated by
federal, state and international laws. PCI just touches
the payments industry; PI covers every industry. In the
United States alone, more than 300 regulations affect the
By Mark Dunn utilization of PI, including more than 20 federal regulations
and specific regulations for all 50 states. Violations of these
Field Guide Enterprises LLC regulations can lead to both civil and criminal penalties
and sanctions.
veryone in the payments industry knows PCI.
But have you met PCI's giant younger brother, The federal, state and international laws mandate that
PI? The onslaught of hacking commercial web- businesses and merchants must comply in how they collect,
E sites to steal personal information and credit use and store personal information. PI includes every kind
card numbers had two major effects: of data, both electronic and physical. It includes such items
1. It focused the payments industry on preventing as financial records, health data, orders, personal data,
storage of payment card data through the Payment data from apps and credit card data.
Card Industry Data Security Standard (PCI DSS).
For example, you may have heard of the California
2. It accelerated the development of federal, state and Consumer Privacy Act of 2018 (CCPA) or the General Data
international regulations mandating protection of Protection Regulation (GDPR) in the European Union.
personal information, or PI.
Since the onset of the COVID-19 pandemic, businesses of
PCI was rolled out more than 10 years ago to create a every size and description have expanded their online
uniform standard for keeping personal account number presence. This is especially true for smaller merchants
information protected. PCI compliance was mandated who have had to pivot to online sales. As a result, they
by the card brands and implemented to include all sizes have increased the ways in which their suppliers, vendors
of merchants. The practical effect of PCI compliance was and customers interact with them. Many have launched
that every merchant had to fill out a self-assessment new online order systems. And touchless systems have
questionnaire and undergo a scan of their website. seen an explosion in sales. This means the touchpoints for
PI have seen a dramatic increase as well.
ISOs made a significant amount of profit from PCI. They
instituted PCI monthly fees for every merchant ID or MID, So, if you've made it this far, you may be thinking to
typically between $9 and $15 per month. For merchants yourself, "Yeah, so what? Why should I care?"
who didn't comply with the Self-Assessment Questionnaire
(SAQ) or website scan, they instituted a monthly PCI non- First, your brick-and-mortar merchants, B2B clients and
compliance fee, typically between $19 and $30 per month. online merchants are subject to the mandates of these PI
Over time, many ISOs were able to drive the cost of the regulations. They have to comply. It's not optional. They
SAQ and scan to below a $1 per MID. Thus, PCI drove $8 to have a need that they probably aren't even aware of and
$20 per MID per month, or more, to an ISO's bottom line. they surely are not focused on. And the question here is,
who will supply the solution(s) that they need? And what
What do merchants get for their PCI compliance dollars? value will they receive for the fees charged?
With most ISOs, it's pretty limited. The SAQ should identify
any possible gaps in the merchant's use or handling of Second, you might want to view this as another revenue
credit card data. opportunity. PI, like little brother PCI, has the potential
30
