Acquirer Survey Shows that Small-Merchant PCI Compliance Is on the Rise


A recent survey released by Atlanta-based security-solutions vendor ControlScan Inc. and the Merchant Acquirers’ Committee shows that acquirers and other independent sales organizations have been reporting greater compliance among small business merchants with a key data-security standard. Nearly 60 percent of ISOs and other processors report that compliance rates are up by more than 40 percent as shown in the portfolios of Level 4 merchants. This shows an increase of five percent from numbers reported only one year ago.

Level 4 merchants are businesses that process up to 1 million in-store transactions or less than 20,000 online card transactions annually. Although the focus of PCI compliance has been on larger merchants an businesses following the December 2013 Target security breach, PCI compliance by small merchants is actually of greater importance. This is because more security breaches occur in small businesses due to laxer security. 37 percent of acquirers that responded to the survey reported at least one breach in security in 2013. This response showed a 23 percent increase from reported security breaches among small business merchants in a similar survey from 2012. Of the 37 percent that reported security breaches in the 2013 survey, almost two-thirds reported that more that more than one portfolio merchant was the target of hacker attacks.

95 percent of acquirers that took part in the survey offer some type of program for their small business merchants in order to help them comply with PCI standards, although management of these programs differs by acquirer. Only 10 percent of acquirers manage their programs in-house using proprietary technology, 56 percent manage the programs themselves using outside technology, while 30 percent of acquirers outsource their programs. During this survey it was also determined that 54 percent of acquirers roll out their compliance programs for their full portfolio at the same time, with only 11 percent of acquirers segmenting their portfolios which allows them to focus their programs on their riskiest merchants before rolling the programs out to the rest of their merchants. This maneuver allows them to reduce businesses risks in a shorter time frame. While the previous focus of acquirers had been on revenue increase, the focus has shifted to security risk reduction. The survey also found that this enables acquirers to issue more levy fees for compliance programs and noncompliance. One-quarter of acquirers now assess over $100 every year towards their compliance programs. This is a 16 percent rise from the figures from 2012. Nearly two-thirds of acquirers now issue levy noncompliance fees, which is is up from the 2012 60 percent figure and the 52 percent figure from 2011.