Smaller Merchants Are Seeking PCI Assistance

By Brian Albright, Business Solutions Magazine

Resellers can play a key role in security compliance for smaller retailers, but proper training is a must.

When it comes to the Payment Card Industry (PCI) Data Security Standard (DSS), the majority of large retailers have established compliance programs and processes. But there is a growing need among smaller merchants for PCI solutions and consulting, and it is these Level 4 merchants that present the next frontier for resellers.

“At a recent Visa meeting, the company presented some statistics about security compromises,” says Wen Free, VP of business development at PCI DSS specialist SecurityMetrics. “According to what they presented, the majority of all compromises between 2009 to 2011 were at Level 4 merchants, who have less than a million transactions annually of the Visa brand. The trend they are seeing is that it’s the smaller and midsize merchants who are bearing the brunt of most of the compromises.”

Hackers are targeting smaller merchants, which don’t have the security personnel and budgets of larger retailers. Larger companies, meanwhile, have reduced their exposure because they’ve been forced to address these issues via PCI enforcement over the past five years.

“So we’re seeing the smallest of merchants taking an interest in it and doing something about it,” Free says.

“They are being proactive.”

These companies face some significant resource issues when it comes to PCI compliance, however. Staying in compliance is an ongoing project, and many of these merchants need help understanding where their vulnerabilities lie and how to reduce compliance scope — presenting a rich opportunity for POS (point of sale) resellers that want to expand their presence with these customers.

“There’s no magic cure for PCI compliance, but what we’ve found is that merchants who take the time to figure out first where the card or payment data is on their network, those are the companies seeing great reductions in PCI costs,” Free says.

The card brands are encouraging this approach. “They are telling the merchants to do their data discovery first and then move forward with PCI and only apply it to what needs to be touched,” Free says.

New Certifications, Expanding Market

Finding a reseller that fully understands compliance can be a challenge for these smaller merchants. One positive step that Free sees is the establishment of the Qualified Integrators and Resellers (QIR) certification program introduced by the PCI Security Council. The program provides online training and certification for PA-DSS (payment application data security standard)-validated applications.

“The standards body is now providing a training program for the folks in the channel that provide these services, which is a welcome relief,” Free says. “There have been cases where the channel has been to blame for some elements of some breaches.”

Another positive trend is that compliance services have now become a more attractive business for the channel, in large part because the acquiring banks are insisting on security compliance. “Since the banks have introduced non-compliance fees into the merchant arena, we’re seeing resellers reaching out and saying that they want to get involved in that business,” Free says. “They want to resell intrusion detection and monitoring and be in those areas, because there is a hammer being applied very regularly by the acquiring banks.”

That gives merchants more options when it comes to PCI assistance, while building new business opportunities for the channel. Resellers will also see more opportunities to help merchants as state and federal agencies begin pushing for more security standards compliance.

“Merchants today don’t understand data security very well,” Free says. “They may understand how to make pizzas or sell tires or cut hair, but data security is not why these folks are in business. So resellers have an opportunity to be the expert and help them. With some good training and certification, the channel can be a huge asset to merchants. There are related products specific to each case that can be introduced to those customers and good money to be made in the process.”

The key is for resellers to educate customers and encourage them to be proactive when it comes to compliance and data security in general. “Doing something before a compromise is exponentially less expensive for everybody,” Free says. “Once Visa and MasterCard say you have a problem, it gets a lot less comfortable, and that’s where the big fines and fees start being introduced.”