Helping Merchants Navigate Through the Confusion of Fraud and Protection    

May 4, 2015         By: Edward Black III

Today’s card-accepting merchant is besieged.

The past 18 months have seen an unprecedented number of credit card data breaches. Target. Home Depot. Dairy Queen. And those are just the big ones.

The dollar figures being associated with the costs to these organizations are in the billions. Banks are suing these companies for losses and fines associated with the breaches.

Customers choose to stay away from these places completely, or choose to pay for goods in cash, which often means smaller tickets for the merchant. CEOs have lost their jobs.

As large and infamous as these breaches are, some data has shown that up to as many as 90 percent of the estimated 11,000 credit card data breaches last year occurred in small to medium-sized businesses.

Think of your local pizza place, dry cleaner, hair salon or convenience store. Most of these merchants accept credit/debit card payments. Many of them are considering non-traditional payment methods, including mobile payments and eCommerce.

Over the years, SMB merchants have approached PCI in different ways, almost all of them detrimental to their business. At worst, they see PCI as a scam used by ISOs and acquirers to charge additional monthly or annual fees.

This often leads merchants to hop from processor to processor in an attempt to get the “better deal.” Ultimately, this only increases ISO attrition as well as merchant frustration, feeding into the merchant’s belief that the industry as a whole is dishonest.

In addition to questioning the industry, many merchants suffer under the denial practice, also known as “we’re too small and it won’t happen to us.” Even more feel intimidated by the technology standards required by PCI-DSS as they have little to no understanding of information technology.

With the advent of PCI 3.0 and the EMV liability shift in October, merchants can no longer afford to ignore or deny the necessity of protecting their businesses against fraud.

Consider the 10,000+ SMBs who suffered a breach in 2013. Each of those companies would be required to pay for a PCI forensic investigator (PFI). They would also be required to take all actions to remediate any security gaps identified by the PFI.

They would be bumped to a Level 1 merchant, which requires an annual audit performed by a Qualified Security Accessor (QSA). They must pay any PCI related fines, which come directly out of credit card receipts.

Chargebacks will be crippling, and lastly, merchants will almost certainly lose customers. One credit card breach can result in catastrophic losses from which a merchant may not be able to recover.

The payment industry must take a more active leadership role in the education of merchants. Verizon just released a report this month stating less than 29 percent of companies are PCI compliant within a year of validation. This leaves merchants vulnerable and prone to falling back into unsafe behaviors.

Whether it’s the ISO or the acquirer directly, they must be proactive in helping their merchants understand the risks and how to prevent them.

ISOs are themselves vulnerable should their merchants be breached. A catastrophic loss to one or more of their merchants may result in lost revenue and additional fines to the ISO. It is undoubtedly within their best interests to help protect their merchants from fraud. However, many ISOs are not able to provide these vital tools and services alone.

There are over 100 Approved Scanning Vendors (ASVs) who can partner with an ISO to provide vulnerability scanning to merchants. Many of these ASVs may also be able to provide additional products, such as malware scanning, SSL certificates, penetration testing and more.

In selecting an ASV, it is best practice to work with a partner that offers an educational approach to help merchants understand their vulnerabilities and how to address them. It is also important that the ASV partner be able to provide services that are affordable.

Finally, merchants may also look to purchase cyber-insurance which covers data breaches. Sometimes, the ASV may be able to provide it, sometimes the ISO, or the merchant may purchase it independently.

Cyber-insurance is generally inexpensive (perhaps $2 to $6 per month), and will help cover the extravagant costs associated with a data breach. It is recommended that ISOs develop partnerships with companies that can offer this insurance.

Ultimately, the biggest impediment to compliance is lack of understanding and education at the merchant level. ISOs that seize a leadership role by partnering with strong ASVs, QSAs and cyber-insurance companies will survive and thrive. Merchants will be better educated and protected, which will lead to fewer breaches, less profile attrition for the ISO and more revenue for everyone.


edprofessionalEdward Black III, Director, PCI Business Unit, Comodo
Edward Black is a Director in the PCI Business Unit at Comodo, a company that has been built over 16 years upon the very foundation of trust, believing that every single digital transaction must have a layer of trust and security built in. At Comodo, Black builds and develops partnerships with Independent Sales Organizations (ISOs) to help them understand and implement security solutions for their large and small merchants, who need PCI solutions that authenticate, validate and secure their information. Black also spearheads training and education on PCI standards and compliance within Comodo. Black has extensive experience in the data security-conscious healthcare and financial service industries, having previously held leadership roles at BIO-key International, PNC Bank, and Paychex, Inc. While at BIO-key, Black developed educational and training content on fingerprint biometric solutions for partners and customers. In addition, Black provided educational seminars to Paychex customers on new laws concerning payroll and taxes.