As Payment Card Industry deadlines come and go, I’ve noticed a rash of acquiring banks, card processors, ISOs AND vendors jumping into the mix to get a piece of the compliance pie fees.

So, what does this mean for small- or medium-sized merchants? Well, this influx does show that companies of all walks are becoming more aware of security and PCI compliance. That is good.

But the influx also means plenty of opportunities for questionable practices that may not serve to improve the true state of security with the best interest of the merchants. That is not good.

Becoming PCI compliant is a daunting task for any merchant, especially small merchants. Whether you’re a merchant or an acquirer, you should learn more about security and PCI before selecting a compliance partner. You should also beware of simply going with the vendor who offers the lowest fees. Understand what you can expect from the PCI vendor and make sure the result is a more secure business.

Despite the inherent complexities surrounding PCI compliance, we’ve all seen ill-conceived  programs that don’t provide the most basic of services or support to merchants. Some don’t even provide a basic education in PCI. Bottom line, smaller merchants need real help with becoming—and staying—compliant.

After all, no one wins if you get fined. Or worse, breached.

Which makes me think. What is really driving this behavior? Is it to protect shoppers’ payment card data? Is it to minimally satisfy the card brands’ mandates? Or is it to create an incremental revenue stream?

Can these drivers co-exist…or are they mutually exclusive?

Some recent trends suggest to me that it will take a while for the PCI market to shake out. Merchants and acquirers will eventually grow wise to shoddy activity and will gravitate toward quality PCI-compliance services. Unfortunately, in the meantime, not enough is being done to truly advance increased security for small merchants. 

Congress is aware of this, as we’ve seen with the recent PCI hearings. As the pendulum tilts toward more regulation on everything from carbon emissions to debt lending, this lack of true security improvements could ultimately lead to Congress legislating compliance—which the PCI Council has been diligently working at to avoid.

Worse, these trends will hurt your efforts to become PCI compliant, which will ultimately leave your shoppers more exposed to hackers and data thieves.

As the new PCI market begins to mature, having the right partners will help you stay compliant in the most efficient manner possible. Having the right partners will also ensure you’re not being taken advantage of.

‘Til Next Time,

Joan
The eSecurity Diva