Page 36 - GS220202
P. 36
Views
PCI the easy way SAQs nor pay PCI fees. Payfacs aren't exempt from
ensuring their sub-merchants are compliant. Payfacs face
the same risk and fine structure as traditional acquirers,
but payfacs provide a solution that enables them to better
manage access to card data and more uniformly ensure
data is secure. Square's site, https://squareup/us/en, for
example, states:
"Since Square itself is PCI compliant, we don't require
account holders to validate PCI compliance. Merchants who
use Square for all storage, processing, and transmission of
By Ken Musante payment card data do not need to validate PCI compliance
Napa Payments and Consulting for those transactions."
erchants hate PCI compliance portals more Square reserves the right to hold its sub-merchants
than they do the associated non-compliance responsible for fees in the event of a breach; however,
fee. That's why so many pay the fee each because Square is the merchant of record, Square doesn't
M month. For most, this is an unfair burden require attestations from each of its sub-merchants. Instead,
because the need is waning and the process to comply is it provides a solution that meets PCI requirements as long
circuitous. Indeed, Visa and Mastercard recognized EMV as the solution is used in accordance with specifications.
cards aren't subject to counterfeiting and have longstand-
ing PCI validation exemption programs. Why aren't we A better way
making it easier for merchants? The need for the Payment Card Industry Data Security
Enter the dragon Standard (PCI DSS) came about because of voluminous
hacks and subsequent counterfeit fraud. With EMV
A merchant must navigate two sets of questions to properly migration, the need for card-present merchants to validate
comply with a PCI certification and attestation. The first PCI compliance has diminished. EMV cards are difficult
set defines the environment and the specific questionnaire to counterfeit; even if a card-present solution were
they must complete. Ecommerce merchants, for example, compromised, the breach wouldn't result in a loss.
have a different environment than POS merchants. There
are nine different Self-Assessment Questionnaires (SAQs). Consequently, as mag stripe use diminishes, the need
Security Metrics does a great job detailing them here: for PCI validation wanes. The card networks have
https://bit.ly/3sQbx8C. long known this. As early as 2017, Mastercard and Visa
instituted programs to exempt card-present merchants
Once the environment is defined merchants must answer from PCI validation so long as at least 75 percent of their
questions related to their specific environment. However, transactions were processed through an EMV-compliant
the questions used to define the environment and the SAQ device. Now, all four major card brands (AmEx, Discover,
questions are too technical for most merchants. Defining Mastercard and Visa) have exemption programs for card-
the environment, for a merchant not familiar with our present merchants.
industry jargon, is difficult. The SAQ, too, is jargon-
packed. Even if a merchant successfully completes the These programs are little used and not widely known.
SAQ, that doesn't ensure they will remain compliant. Perhaps the monthly and annual fees charged dissuade
acquirers from adopting them. This is short sighted, as
Would you like fees with that? it provides merchants one more reason to migrate to a
As an industry, we compound the issue by charging payfac.
PCI fees. Often a merchant will be charged a monthly or
annual PCI fee, typically $8 per month—plus, if they don't Acquirers would be wise to consider a blanket policy
complete the SAQ, a PCI non-compliance fee of $35 to $55 of exempting all their card-present merchants utilizing
monthly. EMV-compliant devices. This would provide substantial
uplift in merchant satisfaction and tremendous marketing
While there is risk for an acquirer, if a merchant doesn't potential. It could differentiate an acquirer's program and
valid PCI compliance, these fees are an enormous profit reduce fees during an inflationary cycle. The ensuing
center, especially the non-compliance fee, as there is not revenue hit would be offset by a decrease in attrition and
a marginal expense associated with adding a merchant, an increase in new accounts.
regardless of their compliance status. As founder of Humboldt Merchant Services, co-founder of Eureka
Payments, former executive at WePay, and founder of Napa Payments
The payfac alternative
and Consulting, Ken Musante has experience in all aspects of success-
Many payfacs have exploited this frustration and provided ful ISO building. Contact him at kenm@napapaymentsandconsulting.
solutions where merchants must neither complete the com, 707-7656 or www.linkedin.com/in/ken-musante-us/.
36
