“What’s an Acquirer?” And Other Noteworthy SME Questions
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.
Small business owners may be too ignorant to ever be PCI compliant. I recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.
Based on my experiences, the answer has to be “pretty darn basic.” For example, at the live SME-oriented seminar, after listening to 3 different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, I had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got me thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples:
We cannot forget that PCI is a whole different “Industry.” How many of us who are in one industry (e.g., retailing) can really be expected to understand the complex workings of another industry. When we throw around terms like “acquirer,” we cannot possibly expect anyone in retailing who isn’t the interface to the financial institution to either understand or care about what we’re saying. Furthermore, anyone who tries to explain the difference between processors and payment gateways in a webinar aimed at SMEs should expect that no SME (and few business or technical managers of larger retailers) actually gives a rat’s ass. What we should do is talk one-on-one to more SME managers and business owners; maybe the payment companies and technology providers who want to sell to SMEs should actually hire some ex-SME managers to help with their messaging.
Yesterday I was speaking with the VP of operations for a SME who recently received an email from their processor. It happened to be First Data, but it could have been any of a number of processors. She read me the E-mail, which said her company would be fined $25 per month until they prove they are PCI compliant. Her reaction was precisely the title of this paragraph.
Even though there was a vague threat in the E-mail about $500,000 fines if there were a breach, she didn’t take that seriously. The whole reason she called was to find out if any company was actually doing anything as a result of such letters, because the $25 per month fine was being taken as a “joke” in her company. The message here is that it’s all well and good to be “kinder and gentler” when it comes to doling out fines in these troubled times, but this level of fine is unlikely to convince anyone to do anything, even mom and pop.
-Marc
July 16th, 2009 at 11:14 pm
Small to medium retailers simply aren’t interested in PCI. PCI isn’t like a tax or a fine, where you pay some amount to avoid trouble, and then it’s done. To anyone who is paying the slightest amount of attention, PCI means you’ve got to do a lot of hard work, you have to hire expensive consultants in Italian suits, you have to pay a lot of people to learn stuff, they make a lot of noise but don’t seem to accomplish much, they get in your way with security stuff when you’re just trying to run your business, and in the end you see no results other than employees blocked from doing their jobs and a very expensive filled out checklist.
A SME gets nothing tangible out of following PCI. Nothing. If you tell him he’s avoided a risk, he’ll say “staying in business is a hell of a risk, one more either way doesn’t make a difference.”
If you want people to pay attention, give them incentive. (Avoiding a $25 fine is not incentive, it’s a punchline.) Where is the “Certified secure by Visa” logo door stickers? Where is the “This institution is PCI DSS certified, Visa will insure your transactions and credit are safe and will spend up to $10,000 to help repair your credit” disclaimer that retailers can print on their receipts? Where is the insurance program that gives retailers discounts for completing their PCI DSS audits?
If Visa is mandating this but is not willing to put anything on the line, why should the retailers even listen?
July 17th, 2009 at 12:51 am
Dave Taylor replied: I couldn’t agree more, Mr or Ms “Reader.” Like the story I was telling about the head of the SME who simply couldn’t understand what all the fuss was about PCI, when all her company had to do was pay a $25 monthly fine. Her point was that if the fine is so low, PCI compliance must not be very important.
Your incentive point is also “right on.” One of the F500 retailers I did a PCI compliance plan for specifically asked their acquiring bank and Visa if they could get “PCI Compliant” stickers for all their stores once they passed their assessment, and they were told no by both the bank and Visa, supposedly because it would make them a “target” of hackers. Which is the opposite of the reasoning for putting “Secured by ADT” stickers on our homes.
July 17th, 2009 at 4:25 pm
The only kinds of incentives that can actually get any attention from a SME merchant — and guaranteed to ALWAYS do that — are something that promises a “sales lift” or “cost reduction.” And preferably both at the same time. Unfortunately, PCI mandates are pretty much the opposite of that by offering a sales decrease (time spent away from the main job) and a cost increase (new hardware, scans, monthly fees, etc.) With such a resounding absence of carrots, it’s amazing we have gotten anywhere at all with them.