What if we turned PCI compliance on its head and reversed the thinking?
Consider this scenario: You're nervous. It's the last day of a month-long assessment done by your Acquirer. They have had a team of IT forensics people booked in a conference room at your offices for the last 30 days, tearing apart your IT environment. They have been validating firewall rules, reviewing log files and inspecting virus protection updates, among other things.
The Acquirer is now about to deliver a Merchant Processing Score (MPS). The result is a big deal; that MPS will determine the rate you pay for your credit card fees for the next 12 months. A higher score and your rates go down; a lower score and your rates go up. This score could easily mean a million dollar swing in profitability next year. Everyone's fingers are crossed that you did well with the penetration test.
Although clearly made up, I wonder if situations like this could become reality. They would, if we reversed the thinking behind PCI compliance. For example, instead of handing out fines for failure to meet the standards and then merely using a PCI failure as an excuse to deny a chain a preferred interchange rate, what if discounts were handed out for those merchants who implement solid data security systems?
It is a somewhat simple concept: The amount of fees paid by a merchant to process a credit card transaction is directly related to how secure its environment is. A standard scorecard is created for each merchant's "risk factors," similar to a credit score:
- You have implemented tokenization? +10 points
- You have a Chief Security Officer? +5 points.
- You haven't had a breach in 1,000,000 transactions? +8 points.
- You passed a full-scale white-hat penetration test with no issues? +15 points.
- First-time merchant? -10 points.
- Wireless access points installed in the retail location? -8 points.
- No software maintenance contract for POS? -5 points.
After an audit is completed, a score would be assigned. The rate a merchant pays for interchange is based upon that score. The higher the score, the lower the fees. And I'm not talking about a PCI-like assessment. I'm talking a full geek-on-geek audit. Evidence that a policy exists would earn you zero points. Evidence that a secure policy exists and has been implemented and that all employees are continuously trained on security procedures and protocols would earn points.
The current mortgage company underwriting process seems like a good place to start building the audit framework. Having been through this process recently, all I can say is that I would rather be working on PCI compliance! And just like a mortgage underwriting process, if you score too low, you don't get to process credit cards. Too bad; so sad. Here's a quarter. Call someone who cares.
Why is this scenario better than the current approach? PCI compliance sets a standard that all retailers must meet. But these standards create somewhat of a conflict of interest. The retailer is incented to do the minimum to meet the requirements, which may be at the expense of becoming secure. A CIO somewhere in this country has been asked this week by his board or executive team, "Do we really need to do that to be compliant?" (Read: Do You Really Need To Spend The Money?) [EXASPERATED SIGH] "No. Technically, we don't. This is what we need to do to be secure. If you are looking for the minimum required to be compliant, we could issue a new policy that outlines what people 'shouldn't do' instead of implementing a technology that won't let them do it."
With an MPS approach, the merchant's goals will be aligned with the goals of credit card companies (Associations, Issuing Banks and Acquirers): becoming more secure. In the scenario above, what if the policy earned the company +2 points but the technology earned them +8 points?
I believe that this approach could be a win for everyone.
For those merchants who are serious about protecting data, their costs go down. Acquirers and the Associations would raise the rates to those merchants with lower scores. Knowing how capitalism works, I'd be willing to bet that the increased fees to the merchants with lower scores would more than offset the discounts offered to those with higher scores. This system would mean that the credit card companies would get what they want (better security) and get paid more in the process. What's not to love?
Now for the fun part, the Merchant Processing Score would be publically available. Anyone would be able to see how your business rates in protecting its customers' credit card data. Merchants will be required to print their MPS at the bottom of each receipt. Customers can then make decisions on which retailers they want to provide their sensitive data to. As a result, merchants must consider not also the impact of their credit card fee structure but also the impact to their sales from a low score.
Some of you may be thinking that this approach seems anti-merchant. I would disagree. The entire payment industry is a train off the tracks, and something needs to be done. It is the few merchants not playing by the rules, and those doing "just enough," who are impacting those of us who are trying to do the right thing and protect our customers' data. If everyone is held to a higher standard, everyone will benefit.
Although there may be a short-term impact to costs that merchants will have to pay to increase security, in the long run that extra money will be washed away by a more efficient system (even industry) that does not have to cover the multiple millions of dollars it takes to clean up after a merchant is breached.
I think it's time for change. How about you?
What do you think? Love it or hate it, I'd love to gain some additional perspectives. Leave a comment, or E-mail me at [email protected].