There is a lot of dissatisfaction in the merchant community with their card processors. Cost is, of course, the major concern: Many of the merchants I spoke with are trying to get their per-transaction costs as low as possible. But they are also unhappy about downgrade charges, the indecipherable bills, the lack of help from their representatives, and what they view as the coercive nature of the relationship.
The complaints are the loudest about the largest of the processors, all of which belies the notion that "bigger is better" when it comes to card processing. The two card processor breaches appear to have been "wake up calls" to get merchants to take action on their growing dissatisfaction with their card processors.
One of the lessons learned from the recent processor breaches is that no company, anywhere, is 100 percent secure. An unfortunate by-product of the PCI standards (like any standards) is that they have accelerated the commoditization of the payments industry and increased the control of the card brands over the value chain.
Of course, maybe that isn't an "un" intended consequence of PCI DSS. Politics aside, I have talked with many merchants for whom payment processor (and other service provider) selection criteria has been reduced to only two questions: "How much per click?" and "Are you PCI compliant?" This is a mistake.
Merchants need to continue to exercise due diligence to understand and quantify the value of the differentiators which go beyond basic PCI compliance and per-transaction pricing. Three security-focused differentiators are worth mentioning:
Most of the packages that are termed tokenization today are focused on the point of sale, where card data is removed from the process at the earliest point, and a token number with no market value is substituted. Today, these approaches are offered by third party gateway vendors and other service providers and they can certainly reduce the scope of a PCI review and risk to the card data.
But there's a much larger opportunity for card processors to offer end-to-end tokenization efforts as a way to technically "lock in" existing customers and as an attractive way to integrate card data management services with card processing services, drawing new customers by providing a "back end" to go with the "front end" of the POS tokenization offerings. Several merchants are waiting to "pull the trigger" on their tokenization decision until it's offered by a card processor.
Many merchants continue to object to having anyone keep their card data other than themselves. Often, these are leading merchants that have made significant investments in data security and they simply do not believe that any other company has more motivation (or better technology) than they do to protect their data. For these companies, they should look to processors who can support end-to-end encryption, which some processors see as their next generation card data security offering.
In this case, the service includes both consistent encryption access control and management, as well as a key management service. It is key management, of course, that is the hard part of all this, and such services amount to having a central key repository, managed by the processor.
But even in such scenarios, data should still be centralized whenever possible, mainly because key rotation, which must be done annually to meet PCI standards, can still bring down enterprise applications for 48 hours while all the data is being re-encrypted with the new keys. Nonetheless, this type of system is an important option for those merchants who want to retain more control of their card data.
Last week, Storefront Backtalk published an article on pilot tests of new security technologies and procedures by banks, processors and Visa that go beyond the current PCI standards to secure card data. I expect to see lots of similar efforts designed to leverage merchant concerns about card data security and the desire to minimize the retention of card data. Processors talk about several "secret sauce" tactics that have yet to make it to the pilot stage, but which will find their way into the market during 2009. In each case, the technologies are an effort to re-introduce some of the technical competitive advantage that the PCI standards have taken away.
Switching card processors is much easier than some merchants think, but you shouldn't switch just to get a lower transaction processing costs. Considering what is at stake, it is well worth time to discuss card data security technologies and procedures with your current and prospective card processors. PCI project managers and IT security managers should be part of any discussion related to switching card processors, which is often not the case today. For more information on this, visit the PCI Knowledge Base and if you'd like to discuss trends in the industry or your own experiences, please send me an E-mail at [email protected]