More ISOs Make Merchants Pay for Skipping Security Compliance

Small store operators face rising challenges in PCI compliance, with confusing and overly technical requirements that are proving costly.

November 11, 2013

NEW YORK — Independent sales organizations (ISOs) are increasingly leveraging fees to compel retailers to take Payment Card Industry (PCI) security standards compliance seriously, Payments Source reports.

"About 30% to 60% of most ISOs' merchants comply with PCI, and probably 30% is more common than 60%," said Mark Dunn, president of Field Guide Enterprises LLC, a consulting firm in Heartland, Wis. Many merchants "think of PCI compliance as a paperwork requirement…a lot of merchants start the process but never complete it because they get hung up of the self-assessment questionnaire."

The fees emerged more than two years ago as a way to prod merchants to comply with industry standards. ISOs charge between $19 and $25 a month for non-compliance, Dunn said, far more than the roughly $7 per month fee to keep up with PCI compliance.

"An ISO has to be able to show that they're proactively taking steps to get their small to medium-sized merchants to comply with PCI requirements," Dunn said. "ISOs want their merchants to comply because it's less risky."

Card brands allow some retailers to be excluded from validating their PCI compliance each year, but they must meet a range of criteria. While NACS advocates strongly for data security, it takes issues with a process that is overly taxing and complex for the small store operator.

“Small merchants, a huge swath of U.S. retail, are the forgotten masses in PCI compliance.  Confusing and overly technical requirements for reducing risk, combined with mind-numbing compliance documents, has effectively pushed small merchants into non-compliance,” said Doug Spencer, NACS director, products & services. “Where these merchants use ISOs for their processing needs, they are subjected to what amount to ‘fines’ from their ISO for non-compliance, further increasing their cost of transactions, while providing no relief in risk or liability.”

“PCATS and NACS are actively advocating with other trade groups to get the PCI Council to address this ‘catch-22’ situation, and provide meaningful tools and resources for small merchants to reduce risk, then achieve compliance,” said Gray Taylor, PCATS executive director. “Should PCI and the card brands not recognize the special needs of small merchants, it is reasonable to expect that the card brands should greatly reduce the liability of main street merchants, or fix their products so such over-the-top processes are not required.”

Advertisement
Advertisement
Advertisement