Credit cards
Image via Wikipedia

Many Merchants see the Payment Card Industry’s Data Security Standard (PCI DSS) as an expense they could do without. 

The counter argument is most businesses would struggle if nothing was done to tackle Credit Card Fraud because the Credit Card companies would need to charge Merchants a higher transaction rate to cover their losses. 

So, what other reasons could there be for becoming PCI Compliant? 

The answer very much depends on your business type and the loyalty of your customers and prospective customers. 

Some very good reasons for becoming PCI compliant are listed below.

Increasing consumer trust means more business

Consumers who purchase with a bricks and mortar Merchant, rightly or wrongly, feel more confident about their purchase. There are many reasons for this, the smile of the assistant, the knowledge they can return if there is a problem but most of all they only need to hand over their Credit Card.

eCommerce Merchants require their customers to complete a form with all their personal information data, their name, telephone number, address and Credit Card details.

Providing a Merchant with more personal data does not necessarily mean a higher risk, especially as Credit Card Fraud is most prevalent in Restaurants and Hotels, but this is the impression held by many consumers. Data Breaches are heaviest in Hotels. 77% of the hospitality industry mistakenly believe they are PCI compliant, read the research here.

Credit Card research shows that 29% of consumers have been the subject of fraud (see blog article) this clearly demonstrates the need for consumers to be cautious.

 Merchants must demonstrate they care about their customer’s personal information. But how?

Trusted Seal on Websites. This improves the sites perception to a consumer and will subsequently increase revenues. Verisign (Symantec) claim that a trusted seal can increase click-through by 18.5 percent.

The padlock and a trusted logo demonstrate security that is the website has the correct encryption and is the site it claims to be.

PCI DSS demonstrates a real business commitment to the protection of personal information, especially the Credit Card.

Protecting a Merchant’s Image and reputation

The growing requirement for the disclosure of an Account Data Compromise (ADC), also known as a breach, often requires a Merchant to communicate an incident to their customers. These laws already exist in the USA and Germany and will soon become law across Europe, South Africa and a host of other countries.

The Credit Card companies employ highly sophisticated fraud tracking systems and can quickly track a breach back to the Merchant. Even a handful of Credit Cards can lead the Credit Card companies back to the Merchant.

In the event of a breach, it is important to inform customers to prevent further identity theft issues and to reduce the levels of exposure the Credit Card companies have. A recent example of breach would be Lush.

Once the details of a breach are released, and they nearly always are, the press, the bloggers and consumers all email, write and talk about what has happened and why.

A data breach could have occurred because of the concerted efforts of a hacker but the perception will be the Merchant’s security or procedures have failed. Consumers are become more demanding and are likely to take their business elsewhere if they feel their personal information was not adequately protected.

Forrester Research found that young consumers’ primary reason (59%) for not conducting business online was the concern about the use of credit cards online…

Verisign found that retaining the confidence of customers and clients is the number one concern for 88 per cent of IT managers operating in the UK.

Protecting Merchants from fines

If a Merchant has an Account Data Compromise (also known as an ADC or breach), they WILL be fined.

  • They will have to pay for expensive independent forensics to establish the source of the breach
  • They will have to cover the costs of the replacement Credit Cards
  • They will need to pay for the ongoing monitoring of the stolen cards
  • They may be fined by the Information Commissioner who in the UK can fined up to £500,000 per ADC incident
  • There may be a requirement to provide Credit watch cover for the consumers

MasterCard published the detail of their fines in 2009 and they are potentially crippling for a Merchant.

Even if a Merchant has not experienced an ADC, they could still be fined. Thousands of Merchants are being fined for none compliance in several ways e.g. monthly charges, rate increases or one off fines.

A Merchant might consider taking out Breach Protection Insurance. This might make commercial sense as it will avoid the significant costs levied but it still leaves the Credit Card companies will a fraud debt. Credit Card companies have invested heavily in efforts to reduce fraud and implement Data Security Standards which means a Merchant cannot choose to use insurance as a risk reducer as an alternative to being PCI DSS compliant. The Acquiring Banks and the Credit Card companies can to stop Merchants taking Credit Card payments.

Protecting Merchants from online threats

PCI DSS can assist Merchants become more secure and enable them to protect their business as it trades on the internet by detailing minimum requirements for IT Security, for example: 

  • PCI requires ecommerce Merchants to undertake regular vulnerability scans of their website to ensure it is secure.
  • PCI requires quarterly reviews of the Firewall rules/configurations.
  • PCI requires adequate and regularly updated Anti Virus protection

PCI DSS mandates these requirements and provides guidance on how a Merchant can protect itself not just from Credit Card ADCs but also from other potentially business impacting Data Breaches.

In 2010 the UK market saw a significant reduction in Credit Card Fraud which will only encourage the Credit Card companies that their protective measures are working. This means the pressure on Merchants to become compliant and to maintain their compliance will only grow. To find out how much of a reduction the UK saw in fraud read my blog here.

To download the CyberSource Report on Fraud click here.

For more details on PCI DSS, see the resources section on my blog