The latest survey from Sysnet Global Solutions claims that SMEs are struggling with PCI compliance and security.
The survey was conducted across a number of acquiring organisations (e.g. banks), including five of the top 10 global acquirers. Between them those five acquirers account for more than 58bn transactions per year. It can be downloaded here (registration required).
The survey paints a worrying picture of compliance failure. According to the press release: “all acquirers believe small merchants are not effectively engaging with PCI programs, with many identifying the challenges small merchants face, including a lack of knowledge, a lack of urgency and a lack of time to dedicate to security and compliance.”
Gabriel Moynagh, CEO at Sysnet Global Solutions said: “We conducted this survey to put some structure on the many conversations we have had with acquiring organisations who feel they’re fighting a losing battle when it comes to getting smaller businesses secure and compliant. PCI non-compliance fees seem like a good idea to prompt smaller businesses to take action, but the real problem is that they just don’t have the knowledge, time or resources to get and maintain compliance.”
SMEs constantly paying fines for non-compliance
According to the results from the survey, 76% of merchants don’t understand the need for PCI compliance. That is a major issue for the industry. PCI compliance is required by credit card companies to make online transactions secure and protect them against identity theft. The PCI Compliance Security Standard Council states: “Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant.”
Acquirers believe that driving this lack of compliance by small merchants are four issues:
- A lack of knowledge on how to engage with PCI programs (76%)
- A failure to realise that they need to engage with PCI programs (68%)
- Not prioritising security enough (64%)
- No time to engage with PCI programs (60%)
All of this means that small merchants are likely to be facing additional fees on top of those they already pay to accept payment cards. Worryingly, 16% of acquirers believe that there are many small merchants that just choose not to deal with PCI. This group is happy to pay non-compliance fees.
What do acquirers thinks will improve compliance?
The majority of acquirers want compliance rates to be higher. The majority would like to see compliance rates reach 70%. While this is still far from perfect, it is a substantial improvement on where many acquirers believe the industry is now. Getting there, however, is unlikely to be easy.
Regular communication (76%) and education (72%) are seen as the most obvious routes to improve this. That, however, ignores the fact that most small merchants are already time poor. If they had the time to read more information from acquirers, it is likely that many would have improved their compliance already.
At the other end of the scale, 44% felt that non-compliance fees were appropriate. Given the other results of this survey, it seems that those non-compliance fees are simply not enough. In fact, 21% of acquirers felt that charging fees indefinitely was acceptable while a further 33% though that between 12 and 24 months was OK. This sends the message that acquirers are OK with non-compliance provided you pay a premium.
It also raises the question of whether it is time for a regulator to step in. Taking non-compliance fees does not protect card holders. This raises an interesting question of liability. If the acquirer is happy to allow the merchant to stay non-compliant provided they pay the fee, they have become part of the problem.
Some acquirers felt that more draconian measures were required. Among these are the withholding of funds (36%) and the threat of termination (28%).
What else could acquirers do to improve the situation
One option is to provide small merchants with cyber security tools. 54% are already doing this but tools are not enough. There needs to be a process to help install and secure systems and that means trained support services. This may be why 4.17% have rejected the idea while the remaining 42% are still trying to work out the: “real business benefit to customers versus the costs.” One might think that a reduction in card fraud would be enough.
There is a move towards managed compliance and security services. 64% say that they are already doing this while over a third say it is not applicable. The advantage of this is that the acquirer can deal with risk to the customer.
What was good to see was that over 80% of acquirers felt they need to do more to help merchants comply with PCI DSS. Interestingly only 32% strongly agreed with this. As with many of the responses to questions in this survey, this sends mixed messages.
What does this mean
If you are using your credit card at a shop or online you expect the transaction system to be secure. What this survey shows is that this is not to be relied upon. With so many small merchants willing to pay non-compliance fees the entire systems appears to be broken.
However, before we reach the point of shouting ‘the sky is falling’, the survey doesn’t disclose what non-compliance means. Is it storing customer data in clear in a database? Is it breaching card holder not present rules? Are merchants using unauthorised applications or equipment? Is transaction data not encrypted when it is being transmitted? Without this clarity, non-compliance becomes a woolly, overarching term.
There are also questions that the acquirers need to answer. For example, why are they taking non-compliance fees for extended periods of time? What does it take before they send someone to site to help fix the problem? How much of the card fraud last year came from non-compliant merchants who acquirers knew about?
This is not a small problem. Over £1 billion was stolen in credit and debit card fraud in 2017. It led to 10% of customers cancelling cards. Some moved to other card issuers but this is a significant rate of churn. If acquirers taking non-compliance fees are part of this problem the regulator needs to act immediately and deal with this.
It will be interesting to see if Sysnet publishes any more details on the problem. We will also wait to see if next year’s survey shows any improvement.