Magazine Article | May 20, 2013

Why Resellers Should Fear PCI Noncompliance

By Brian Albright, Business Solutions magazine.

Resellers can leverage payment processing partners to improve security for clients and help retain their own customers.

VVARs and ISVs can take a leading role in helping their merchant clients achieve and maintain their PCI Data Security Standard (PCI DSS) compliance. While that does entail ensuring that both the paymentapplication and transaction-routing method meet the standard, there are ample opportunities for VARs to help clients reduce PCI scope (and compliance costs), while improving data security for merchants and their customers.

More resellers and integrators are paying closer attention to their place in the PCI ecosystem. Their ability to support compliance efforts may be limited to specific applications or transaction routing, but a more consultative approach can improve client relationships and create new revenue streams. But they need to have the knowledge and resources to provide the kinds of services merchants are looking for.

“Security is complex even for those who are dedicated to the discipline,” says James Zerfas, security product manager at Vantiv. “The most common scenario, in my experience, is that the VARs simply don’t have the resour ces necessary to engage their clients or don’t see that their clients have this need.”

Payment application and payment processing vendors can help by providing training and other resources to the channel and directly to merchants. Sean Kramer, president and CEO of Element Payment Services, further recommends offering a PCI-validated point-to-point encryption (P2PE) solution to reduce risk and compliance scope.

“A validated P2PE solution removes ISVs and their customers from the business of paymentcard security and effectively eliminates risk, liability, and cost associated with credit card acceptance,” Kramer says. “For the ISV, this means complete removal of PCI scope. For the merchant, scope is dramatically reduced and the merchant qualifies for a greatly abbreviated selfassessment questionnaire (SAQ), and is exempt from vulnerability scans and penetration testing. Experts estimate that the cost savings associated with this scope reduction amounts to $25,000 to $30,000 annually.”

The Risk Of Noncompliance
While the bulk of the risk of noncompliance falls on merchants, VARs and ISVs also pay a price if they don’t incorporate best-of-breed processing solutions that can simplify and secure payment acceptance for the merchant. Merchants who fall out of compliance face fines and could lose their ability to accept credit cards at all; resellers and integrators could lose significant market share if they fail to properly serve their clients when it comes to PCI standards.

“Compliance has become the norm that all VARs and integrators must meet in order to compete in the payments space,” Zerfas says. “Any avoidance on their part to ensure compliant products and services usually results in losing market share to their competitors. Additionally, depending on the scope of their engagements, they may also share in the exposure associated with data breaches in their customers’ environments.”

Those data breaches can be costly, even for small merchants. According to the 2012 SecurityMetrics Payment Card Threat Report, credit card breaches cost retailers $5.7 million per incident, including detection, notification, legal fees, customer losses, and brand damage.

“History has demonstrated that even after a halfdecade of compliance efforts we must remain vigilant as an industry to protect PCI data,” Zerfas says. “While new means are also being identified, we haven’t necessarily seen old methodologies disappear. The weakness in the system is not that compliance should be abandoned, but rather that more education is needed to ensure that compliance assessments are used to improve overall security practices and employee training.”

Payment Partners Provide Additional Services
ISVs and VARs can incorporate value-added services that bring additional significance (and improved customer retention) to their payment applications. Integrating tokenization, for instance, can allow customers to perform card-on-file or scheduled billing without actually storing the card data locally. Other services, such as the ability to provide automatic updates to cards on file when they are reissued (due to loss or expiration) provide back-office efficiencies to merchants.

“Perhaps even more important than leveraging a payments partner who offers best-in-class technology is selecting a provider commitment to PCI compliance and scope-reducing technologies,” Kramer says. “In addition to eliminating risk and liability, merchants using a PCI-validated P2PE solution also have the potential to save thousands of dollars annually due to reduction in compliance-related costs. Together, valueadded services and PCI scope-reducing technologies result in a superior payment solution and help to retain merchants by offering more than ‘just a rate.’”

Partnerships with reliable payment services partners can also help ISVs bolster their own education (along with their client services), and provide peace of mind for merchants who increasingly look to VARs and integrators for assistance with PCI compliance. “Leverage external partners to fill the gaps in both services and products with the understanding that, especially when it comes to security, it is extremely easy to lose credibility and it is very difficult to earn back,” Zerfas says.

Stress How You Can Help Your Clients Avoid Costly Penalties

Today’s POS (point of sale) VARs and integrators must always be looking for ways to expand their relationships with their customers beyond just providing hardware and software solutions. In particular, it’s the quest for ongoing revenue streams (e.g. those associated with payment processing) that drives the successful modern-day POS VAR and integrator. But don’t overlook the value of one of the biggest benefits you can offer your clients — your industry knowledge.

When it comes to proving your worth to a client who has to adhere to the PCI Data Security Standard (PCI DSS), the ongoing service you can provide is making sure you understand all of the intricacies of the standard so that you can help the client avoid any penalties. After all, according to Sean Kramer, president and CEO of Element Payment Services, the penalties for noncompliance are severe. “The penalties can include the loss of the ability to accept credit card payments, noncompliance investigations, and fines. In fact, according to the 2012 Security- Metrics Payment Card Threat Report study, credit card breaches cost retailers $5.7 million per incident on costs, which include detection, notification, legal fees, loss of customers, and brand damage. On average this equates to $194 per compromised credit card, according to the 2011 Cost of Data Breach Study published by the Ponemon Institute,” Kramer says.

James Zerfas, security product manager at Vantiv, agrees with Kramer and notes that although there are a number of resources and processes dedicated to ensure merchants achieve and maintain compliance, the ultimate risk for merchants out of compliance is the possibility of losing their ability to process payments, which further results in lost sales. “Most importantly, being out of compliance creates an increased level of risk related to a data breach and all of the related impacts of that event,” Zerfas explains.