Giving Up On Small Business Payment Security

Written by David Taylor
March 11th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Over the last four years, people in the payments, security, retail, restaurant and other industry have spoken about the “massive opportunity” associated with trying to get Level 4 merchants to be PCI compliant and secure, in a “beyond just card data” sense. But lately, I’ve come to the conclusion that this may not be possible. Or, if possible, the effort is beyond what those who seek to secure these firms are willing to invest in this clearly uphill battle.

  • Fear, Uncertainty and Doubt
    Security is all about FUD. The more you scare people about unknown risks (of breaches, fraud, data loss), the more they tend to spend to guard against these risks. But given the high level of fear that already exists in the SME environment about going out of business, even the loudest and most well justified pitches don’t even make the radar screen. Rather than taking the approach of talking louder, it may be time to switch appeal to focus more on education, advice, best practices and generally being more helpful.

  • Doing the Work for the SMEs
    Offering to help the SMEs understand and solve their PCI compliance and security problems is good. But, don’t be “too helpful.” I recently ran across a couple of companies that guarantee to get small businesses PCI compliant and go so far as to sell them pre-filled-in self-assessment questionnaires (SAQs) that they say are “guaranteed” to pass PCI.

    Although I understand that this sort of pitch has its appeal, I cannot believe that any processor or acquirer (or QSA) would sign off on this approach if they knew how the SAQ was completed. On the other hand, from the “merchant portfolio” perspective of a processor / acquirer, perhaps such situations would be regarded as such low risk to the overall portfolio, that they might be OK with this method, simply because they are getting some data about these merchants, which is better than none.

  • Getting SMEs to Show Up
    I’ve talked with dozens of security companies, processors, banks and industry groups about how to actually get SMEs to read materials about PCI compliance and security or even show up at a webinar, and it’s clear that no one has the “secret forumula.” I’ve participated in several webinars where thousands of invites went out to SMEs, only to have a handful show up. Neither the fear appeal nor the educational appeal seems to work. Basically, companies are offering to educate SMEs about a subject on which the SMEs do not believe they need any education. The positive or negative incentives are simply insufficient at this time. But, there is reason for hope, if not audacity.

  • Fining SMEs for Non-Compliance
    The only thing that gives me (and other security and payment folks) reason to be positive about the ability to reach the SMEs is that some processors are starting to issue fines to Level 4 merchants for non-compliance with PCI. The fines are what Eduardo Perez of Visa has called “nuisance fines,” which are not large enough to hurt the business, but large enough so that the executives running the business will be motivated to take action.

    What is missing from this, however, is publicity. Unlike the early days of the “PCI campaign,” there is much less publicity about the actions being taken by the card brands and acquirers to move compliance forward, including issuing fines. I would argue that one of the most effective ways to improve compliance and general interest in security among SMEs is a major publicity campaign associated with the fines. However, given the economy and growing government oversight of the financial service industry, it seems unlikely that a campaign that could be interpreted as “massive financial conglomerate tries to put mom and pop out of business” is going to be well received by the administration or by “the people,” who are spending their hard-earned tax dollars to keep the massive financial conglomerates afloat.

  • The Bottom Line
    While I’m not quite as negative about the chances of getting SMEs to be PCI compliant and secure as the title implies, I’m almost there. If any reader of this has any ideas, products or services that they believe can turn this situation around, please contact me. We believe that one of the best services we can offer at the PCI Knowledge Base is to let people know about solutions to vexing problems such as this one. So please send me an E-mail if you have any interest in or ideas about this topic.

  • advertisement

    2 Comments | Read Giving Up On Small Business Payment Security

    1. A reader Says:

      Nuisance fines won’t do much. In order to be effective, the fine has to be more expensive than the PCI compliance efforts, or else the SME will pick the cheaper of the two. If small merchants already can’t afford compliance, they certainly won’t survive an effective fine.

      Pushing this issue further may drive card acceptance out of small businesses. They’re already struggling, and a move back to cash has a lot of appeal. Cash has no interchange fees. As bankruptcies rise, fewer of their customers will have credit. And cash is “more flexible” than transactions that have to be recorded on paper.

    2. david taylor Says:

      I just returned from a conference where “alternative payments” were discussed a lot. As more companies get into this business, SMEs will have more “ammo” to fight back against the coercion inherent in the payment card industry. The processors, for their part, are becoming “payment switches” so they can support alternative payment options such as: PayPal, Bill Me Later, Google Checkout, Pinless Debit, Secure Vault Payments, eBillMe, Amazon Payments, Revolution Card, Bill2Phone, TrialPay, GreenDot.

      I’d like to hear from anyone who is using / plans to adopt any of these as a major payment channel. Anyone????


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.