The internet and e-commerce is seen by many as a force for good in the global economy but free trade in cyberspace is threatened by the malevolence of internet hackers, opportunist thieves and organised crime. The credit card industry and its honest merchants has borne the brunt of internet fraud and in a bid to limit the damage and prevent a further deterioration the major credit card brands have clubbed together to introduce a global standard for data security (PCI DSS) which is being mandated for all businesses that process credit card transactions. But is the rigour of the standard, which is complex and expensive, a sledgehammer to crack a nut where small businesses are concerned? Gary Simon, FSN’s managing editor reports on a troublesome initiative.
Is PCI DSS compliance in danger of overwhelming small business?
Nobody in their right mind doubts the seriousness of internet fraud. From stolen identities to card-not-present frauds, the scale of the problem is undermining confidence in e-commerce. According to a survey by the Federation of Small Businesses, published in February this year, a significant 54% of businesses have been a victim of fraud or online crime in 2008: 37% had an issue with phishing emails, 15% were victim to card not present fraud and 15% experienced IT system issues, such as viruses, and hacking.
So how is the payment card industry responding? Well at the end of 2004, Visa and MasterCard joined forces and through a separate entity www.pcisecuritystandards.org created the Payment Card Industry Data Security Standard (PCI DSS) which is mandatory and applies to all businesses processing, storing or transmitting cardholder information manually or electronically. The standards are exhaustive and cover businesses of all sizes but in broad terms the level of compliance required is dependent on activity level and driven more by the nature or mode of transactions than the financial size of the business or value of transactions processed.
There are four levels of compliance requirements, based on the annual number of credit/debit card transactions. The top level (Level 1) relates to merchants with over 6 million transactions a year, and the bottom level (level 4) to merchants with less than 20,000 transactions. The problem is that Level 4 lumps together the smallest internet startups with substantial internet retailers yet the compliance requirements are broadly the same.
The standard also has teeth. Backed by a severe fines regime imposed by the Card Schemes (Visa/MasterCard) punitive fines can be imposed for an actual breach of security “Compromise Fines” or simply for “Non-Compliance.” The Card Schemes fine the acquiring banks who can then, at their option, pass the fine onto their customers. According to Barclaycard, the fines can be “tens of thousands of pounds and will escalate should remediation activity not happen in a timely manner.”
In a written response to FSN’s questions, Barclaycard denies that it is scaremongering. “Given that the card schemes are levying fines for non-compliant merchants, we feel it’s right that we point this [out] and to ignore this topic would be completely wrong. We’re not trying to scare merchants in to becoming compliant, we are simply pointing out possible consequences. Feedback from our customers shows that they want us to help them understand compliance and its impact on them.” However, Barclaycard did not answer whether small businesses have been fined tens of thousands of pounds for non compliance. Neither did they elaborate on what the scale of fines is.
Robin Adams, Consulting Director of Security, Risk and Compliance at the Logic Group, a provider of software solutions for payment card processing systems told FSN the whole area of fines is a “sensitive issue”.
“There have been some well publicised fines for a systems compromise that has caused financial loss and we are aware that letters have been sent to merchants who have not complied by the relevant date. What has been noticeable is that the tone from the industry has become more aggressive since July 2005 but ultimately it depends on the banks and whether they are prepared to pass the fine onto their merchants.”
Adams believes that for the larger Level I merchants, fines could amount to $25,000 per month and $5,000 per month at the other end of the scale. “The card schemes are concentrating on the larger volume merchants at the moment which present the greatest risk,” he added.
Although it is theoretically feasible for small businesses to self-assess their level of compliance the complexity of the questionnaires means that to all intents and purposes small businesses are going to require external assistance to complete the questionnaires and organise, where required, independent quarterly scans of their systems to confirm their level of security protection from hackers. For most businesses this will be an added cost at a time when they can least afford it, although for example, Barclaycard, like other acquirers, has arranged for the services of SecurityMetrics to help merchants through the maze at a preferential rate.
By way of illustration this means that a small e-commerce merchant that needs help to fill in the ‘self assessment’ questionnaires and requires a quarterly scan to comply could face an initial cost of around £75.00, i.e. substantially less than £374.45 full price. What happens in subsequent years remains to be seen. Barclaycard told FSN, “There are no discounts for future years, but as discussed, customers are free to use or not use Security Metrics. For example they could use an alternative supplier or do it themselves for free.”
But not everyone is happy with the way that the payment card industry is treating smaller merchants. Rosina Robson, from the Federation of Small Businesses, told FSN, “The FSB is concerned that the PCI-DSS initiative was designed more with big business, in mind. This is worrying given that small businesses account for 58% of the private sector workforce and the majority of enterprises in the UK. Businesses are trying to grapple with the jargon in the cumbersome self assessment form and find funding for external consultants on vulnerability scams expensive during these difficult economic times.”
“We are not saying that small businesses should be exempt from this regulation imposed by big business, but that it should have been designed with them in mind from the outset through simplified advice and forms,” she added.
“We spend time talking to the government about the importance of ‘thinking small first’ and it is important that big business does this as well. Businesses are left confused by the inconsistent advice that they receive from their card companies and the heavy handed tactics used by some with the threat of fines for non-compliance leaving small businesses with a hefty bill in order to comply.”
Chris Barling, CEO of Actinic, a provider of e-commerce products for small and medium businesses,interviewed in Internet Retailing says, “When it comes to PCI DSS, smaller companies have a big problem, because although the compliance checking regime varies based on size, the required standard is identical. This is bad news, because what makes sense for a big corporate with thousands of staff is crippling for smaller businesses.”
Barling told FSN, “It is very difficult for small businesses to comply. Even if you think you are compliant you probably are not because the standards are so exacting. There are serious professional hackers out there and it is becoming harder and harder to protect your business. If you don’t store any credit card details at all then you are probably in a stronger position but we are advising customers to align themselves with a payment systems provider such as ourselves to remove the requirement altogether or greatly reduce it.”
Whether a merchant is compliant or not is a vexed question. The contractual terms offered by providers of compliance advisory services and scans often limit their liability by excluding the possibility that the merchant can rely on their advice. So the merchant is left between a rock and a hard place, i.e. a complex compliance regime backed by an opaque fines regime and advisors not prepared apparently to put their money where their mouths are.
To date, the Federation of Small Businesses in the UK says that when asked whether
they were complying with the PCI Data Security Standard 62% of businesses said that they didn’t
know what it was, 20% said no and only 13% said that they were complying with the standard. FSN understands that the sample of businesses surveyed did not focus exclusively on retailers but it is illustrative of the problem that small businesses are not PCI DSS aware.
No one that FSN spoke to denies the importance of security but it is interesting to ponder whether small merchants are actually paying the price of a payment card industry that is losing the battle against fraudsters. It is one thing to encourage small businesses to adopt sensible practices to limit the risk for all concerned but the threat of fines, complex and costly compliance procedures coupled with an industry unwilling to take responsibility is hardly going to endear the credit card brands and acquiring banks to their customers.
