“What’s an Acquirer?” And Other Noteworthy SME Questions

Written by David Taylor
July 15th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

Small business owners may be too ignorant to ever be PCI compliant. I recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.

Based on my experiences, the answer has to be “pretty darn basic.” For example, at the live SME-oriented seminar, after listening to 3 different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, I had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got me thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples:

  • What does the “I” in PCI stand for?
    We cannot forget that PCI is a whole different “Industry.” How many of us who are in one industry (e.g., retailing) can really be expected to understand the complex workings of another industry. When we throw around terms like “acquirer,” we cannot possibly expect anyone in retailing who isn’t the interface to the financial institution to either understand or care about what we’re saying. Furthermore, anyone who tries to explain the difference between processors and payment gateways in a webinar aimed at SMEs should expect that no SME (and few business or technical managers of larger retailers) actually gives a rat’s ass. What we should do is talk one-on-one to more SME managers and business owners; maybe the payment companies and technology providers who want to sell to SMEs should actually hire some ex-SME managers to help with their messaging.

  • $25 per month? Are they serious?
    Yesterday I was speaking with the VP of operations for a SME who recently received an email from their processor. It happened to be First Data, but it could have been any of a number of processors. She read me the E-mail, which said her company would be fined $25 per month until they prove they are PCI compliant. Her reaction was precisely the title of this paragraph.

    Even though there was a vague threat in the E-mail about $500,000 fines if there were a breach, she didn’t take that seriously. The whole reason she called was to find out if any company was actually doing anything as a result of such letters, because the $25 per month fine was being taken as a “joke” in her company. The message here is that it’s all well and good to be “kinder and gentler” when it comes to doling out fines in these troubled times, but this level of fine is unlikely to convince anyone to do anything, even mom and pop.

  • advertisement

    3 Comments | Read “What’s an Acquirer?” And Other Noteworthy SME Questions

    1. A reader Says:

      Small to medium retailers simply aren’t interested in PCI. PCI isn’t like a tax or a fine, where you pay some amount to avoid trouble, and then it’s done. To anyone who is paying the slightest amount of attention, PCI means you’ve got to do a lot of hard work, you have to hire expensive consultants in Italian suits, you have to pay a lot of people to learn stuff, they make a lot of noise but don’t seem to accomplish much, they get in your way with security stuff when you’re just trying to run your business, and in the end you see no results other than employees blocked from doing their jobs and a very expensive filled out checklist.

      A SME gets nothing tangible out of following PCI. Nothing. If you tell him he’s avoided a risk, he’ll say “staying in business is a hell of a risk, one more either way doesn’t make a difference.”

      If you want people to pay attention, give them incentive. (Avoiding a $25 fine is not incentive, it’s a punchline.) Where is the “Certified secure by Visa” logo door stickers? Where is the “This institution is PCI DSS certified, Visa will insure your transactions and credit are safe and will spend up to $10,000 to help repair your credit” disclaimer that retailers can print on their receipts? Where is the insurance program that gives retailers discounts for completing their PCI DSS audits?

      If Visa is mandating this but is not willing to put anything on the line, why should the retailers even listen?

    2. Dave Taylor Says:

      Dave Taylor replied: I couldn’t agree more, Mr or Ms “Reader.” Like the story I was telling about the head of the SME who simply couldn’t understand what all the fuss was about PCI, when all her company had to do was pay a $25 monthly fine. Her point was that if the fine is so low, PCI compliance must not be very important.

      Your incentive point is also “right on.” One of the F500 retailers I did a PCI compliance plan for specifically asked their acquiring bank and Visa if they could get “PCI Compliant” stickers for all their stores once they passed their assessment, and they were told no by both the bank and Visa, supposedly because it would make them a “target” of hackers. Which is the opposite of the reasoning for putting “Secured by ADT” stickers on our homes.


      The only kinds of incentives that can actually get any attention from a SME merchant — and guaranteed to ALWAYS do that — are something that promises a “sales lift” or “cost reduction.” And preferably both at the same time. Unfortunately, PCI mandates are pretty much the opposite of that by offering a sales decrease (time spent away from the main job) and a cost increase (new hardware, scans, monthly fees, etc.) With such a resounding absence of carrots, it’s amazing we have gotten anywhere at all with them.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.