It May be Time to Switch Card Processors
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
There is a lot of dissatisfaction in the merchant community with their card processors. Cost is, of course, the major concern: Many of the merchants I spoke with are trying to get their per-transaction costs as low as possible. But they are also unhappy about downgrade charges, the indecipherable bills, the lack of help from their representatives, and what they view as the coercive nature of the relationship.
The complaints are the loudest about the largest of the processors, all of which belies the notion that “bigger is better” when it comes to card processing. The two card processor breaches appear to have been “wake up calls” to get merchants to take action on their growing dissatisfaction with their card processors.
One of the lessons learned from the recent processor breaches is that no company, anywhere, is 100 percent secure. An unfortunate by-product of the PCI standards (like any standards) is that they have accelerated the commoditization of the payments industry and increased the control of the card brands over the value chain.
Of course, maybe that isn’t an “un” intended consequence of PCI DSS. Politics aside, I have talked with many merchants for whom payment processor (and other service provider) selection criteria has been reduced to only two questions: “How much per click?” and “Are you PCI compliant?” This is a mistake.
Merchants need to continue to exercise due diligence to understand and quantify the value of the differentiators which go beyond basic PCI compliance and per-transaction pricing. Three security-focused differentiators are worth mentioning:
Most of the packages that are termed tokenization today are focused on the point of sale, where card data is removed from the process at the earliest point, and a token number with no market value is substituted. Today, these approaches are offered by third party gateway vendors and other service providers and they can certainly reduce the scope of a PCI review and risk to the card data.
But there’s a much larger opportunity for card processors to offer end-to-end tokenization efforts as a way to technically “lock in” existing customers and as an attractive way to integrate card data management services with card processing services, drawing new customers by providing a “back end” to go with the “front end” of the POS tokenization offerings. Several merchants are waiting to “pull the trigger” on their tokenization decision until it’s offered by a card processor.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
