Study shows progress on PCI DSS compliance
January 11, 2012
Credit card acquirers seem to be making more of an effort to help smaller merchants achieve compliance with the Payment Card Industry Data Security Standard, as evidenced by a recent survey of banks, payment processors and other acquirers.
The study, conducted by ControlScan and the Merchant Acquirers Committee (MAC), revealed that many in the payments industry think it is worthwhile to develop a PCI education and support program that will assist their Level 4 merchants' efforts to achieve and maintain compliance with the standards.
"Acquirers have a positive outlook on PCI compliance," said Susan Matt, CFO of MAC and CEO and founder of ThoughtKey, Inc. "The study also links certain key attributes of acquirers with high PCI compliance rates - a correlation we simply speculated earlier, but can now stress as best practices to the industry."
Out of the 146 responding acquirers, 94 percent said they have established a program for Level 4 merchants, and 70 percent said they believe this program actually reduces the risk of small merchants suffering a breach. Nearly two-thirds of these initiatives are under two years old, meaning they are continuing to develop and embrace the seven-year-old PCI DSS. The programs will likely evolve further, since one-third of respondents also said over the past 12 months, at least one of their merchants had a breach.
For merchants looking to see which acquirers can best help them avoid a breach and comply with PCI rules, the two companies listed several of the acquirers' key attributes. These include having a third party take on some of the responsibility for their PCI program, regularly assessing their PCI programs and giving their merchants the choice of several different compliance tools.
While many advocates of PCI DSS say it is one of the best defenses against a data breach or fraud, others express doubt. In an interview with Bank Information Security, 451 Research's Wendy Nather said that many small merchants can't afford to meet or maintain compliance with regulations. She dubs this the "security poverty line," noting that if a company starts to cut corners - putting all its data on a single server, for instance - the impact of a breach can be even more severe.
"It's one example of how the Security Poverty Line can affect a company that just can't afford to get compliant," Nather told the news source.
