Giving Up On Small Business Payment Security

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Over the last four years, people in the payments, security, retail, restaurant and other industry have spoken about the "massive opportunity" associated with trying to get Level 4 merchants to be PCI compliant and secure, in a "beyond just card data" sense. But lately, I've come to the conclusion that this may not be possible. Or, if possible, the effort is beyond what those who seek to secure these firms are willing to invest in this clearly uphill battle.

  • Fear, Uncertainty and Doubt
    Security is all about FUD. The more you scare people about unknown risks (of breaches, fraud, data loss), the more they tend to spend to guard against these risks. But given the high level of fear that already exists in the SME environment about going out of business, even the loudest and most well justified pitches don't even make the radar screen. Rather than taking the approach of talking louder, it may be time to switch appeal to focus more on education, advice, best practices and generally being more helpful.

  • Doing the Work for the SMEs
    Offering to help the SMEs understand and solve their PCI compliance and security problems is good. But, don't be "too helpful." I recently ran across a couple of companies that guarantee to get small businesses PCI compliant and go so far as to sell them pre-filled-in self-assessment questionnaires (SAQs) that they say are "guaranteed" to pass PCI.

    Although I understand that this sort of pitch has its appeal, I cannot believe that any processor or acquirer (or QSA) would sign off on this approach if they knew how the SAQ was completed. On the other hand, from the "merchant portfolio" perspective of a processor / acquirer, perhaps such situations would be regarded as such low risk to the overall portfolio, that they might be OK with this method, simply because they are getting some data about these merchants, which is better than none.

  • Getting SMEs to Show Up
    I've talked with dozens of security companies, processors, banks and industry groups about how to actually get SMEs to read materials about PCI compliance and security or even show up at a webinar, and it's clear that no one has the "secret forumula." I've participated in several webinars where thousands of invites went out to SMEs, only to have a handful show up. Neither the fear appeal nor the educational appeal seems to work. Basically, companies are offering to educate SMEs about a subject on which the SMEs do not believe they need any education. The positive or negative incentives are simply insufficient at this time. But, there is reason for hope, if not audacity.

  • Fining SMEs for Non-Compliance
    The only thing that gives me (and other security and payment folks) reason to be positive about the ability to reach the SMEs is that some processors are starting to issue fines to Level 4 merchants for non-compliance with PCI. The fines are what Eduardo Perez of Visa has called "nuisance fines," which are not large enough to hurt the business, but large enough so that the executives running the business will be motivated to take action.

    What is missing from this, however, is publicity. Unlike the early days of the "PCI campaign," there is much less publicity about the actions being taken by the card brands and acquirers to move compliance forward, including issuing fines. I would argue that one of the most effective ways to improve compliance and general interest in security among SMEs is a major publicity campaign associated with the fines. However, given the economy and growing government oversight of the financial service industry, it seems unlikely that a campaign that could be interpreted as "massive financial conglomerate tries to put mom and pop out of business" is going to be well received by the administration or by "the people," who are spending their hard-earned tax dollars to keep the massive financial conglomerates afloat.

  • The Bottom Line
    While I'm not quite as negative about the chances of getting SMEs to be PCI compliant and secure as the title implies, I'm almost there. If any reader of this has any ideas, products or services that they believe can turn this situation around, please contact me. We believe that one of the best services we can offer at the PCI Knowledge Base is to let people know about solutions to vexing problems such as this one. So please send me an E-mail if you have any interest in or ideas about this topic.