Small merchants are struggling with the main regulatory standard applying to credit card security, the Payment Security Industry (PCI) standard, according to several panelists at the recent Visa Security Summit in Washington, D.C. Panelists also agreed that in many cases merchants could become compliant by leveraging third-party solutions.
PCI is too expensive and time-consuming for small merchants, according to Merrill Phelan, manager of information security and programming at the Washington Metro Airport Authority. For many smaller merchants, “it’s like the security standard is written for Fort Knox,” he said.
Only about 60 percent of level-three businesses—those processing between 20,000 and one million annual transactions—are PCI compliant, according to David Hogan, senior vice president and CIO for the National Retail Federation, who spoke on a separate panel. The compliance deadline for such merchants was last year.
The standards are so burdensome, said Phelan, that most small businesses would be better off avoiding them altogether. They should look for alternatives to storing and transmitting card data, he said.
There are several current outsourcing options, according to John Kindervag, a Forrester Research senior analyst. One fast-growing method involves “tokenization,” which involves removing customer account numbers and PINs from a merchant’s network and replacing them with abstract characters, or tokens. The tokens equate to the account numbers and PINs whenever merchants communicate with processors, he says. Vendors offering such services include ProPay, of Orem, Utah, as well as Las Vegas-based Shift4, he says.
Other solutions provide more full-service card processing solutions. One example is Google Checkout, which many large banks and processors currently offer small business customers.
Some banks and processors may build their own in-house solutions to help small merchants. That’s the case with London-based Barclays Bank, according to panelist Paul Cook, managing director at Barclaycard, the bank’s card division.
Small merchants’ own solutions were often woefully insecure, he said, sometimes lacking strong encryption. Barclays has made a strong effort to provide such merchants with encrypted checkout solutions and clear instructions.
Large banks and processors can also gain revenue by charging retail merchant customers a small fee per transaction in return for helping provide security, says Kindervag.