There are few partners that ignite such wrath and venom within retailers than their credit card partners and their?well, let's just say "generous"?interchange fees. On the flip side, the banks and credit card firms seeing themselves as having to pay the PCI piper whenever there's a data breach, even if?from the bank/card perspective?that breach was the fault of the reckless retailer.
But like so many business relationships, hatred can be trumped by only one thing: greed. Which is the most terrifying? The prospect that a retailer may no longer be able to accept major credit cards or that the banks and card companies will lose all of that revenue to alternative payment vendors?
The headline for this piece said that Visa Blinks, which it did. But that phrase traditionally equates blinking with losing, borrowed from the classic staring contest. That's not how we mean it. In some cases?such as this one?blinking can be a realistic conclusion that flexibility may be the best course.
For more than a year, Visa has tried multiple variations of carrot and stick to get retailers PCI compliant. The stick has always been that fines and higher interchange fees will kick in after Sept. 30, 2007, for those retailers who are not certified PCI compliant.
Now that the date will happen next month, Visa and others are softening their position. Instead of being shut out from discounted interchange fees, non-compliant retailers (bad boys being banned from binary benevolence?) are being told they can have their discount fees, but not as much of a discount. The fines will indeed start but not for everyone. Possibly not for anyone. Full Visa discretion.
That's probably a good and practical approach. But is going to advance their stated position, namely to get more retailers compliant? Unlikely as it's not addressing the reasons those retailers have resisted compliance in the first place.
There are two kinds of non-compliant Level 1 retailers out there and both truly want to be compliant: those that are trying, but can't get over PCI hurdles to get the certification; those that aren't trying anymore, either because they've given up or they never cared that much.
Visa's efforts assume that all retailers are in that second category, that is they are only sufficiently motivated, they'll make the effort to get compliant.
But for most of the retailers I hear from, their complaints are focused elsewhere. Number one on the list: we can't afford to make the chain secure up to PCI's specs. For some, it's just griping, but for many, it's a very legitimate complaint. With margins so razor thin, it can't make sense for any retailer to lose money for the privilege of accepting credit cards.
Granted, this isn't the case for all Level 1s, but it's a huge concern for many mid-size retailers. Ironically, it's not as much of a concern for super small retailers because the dollars required to get them up to PCI specs are much less.
In short, for smaller merchants, Visa's probably right. For them, it is mostly an attitude adjustment. For many Level 1s, though, it's a very different story.
Then there are the complaints about consistency and conflicts of interest. But the process of getting certified compliant is quite time-consuming. There's probably a bit of logic in reallocating a chunk of the effort Visa is using to threaten retailers and put it toward making the certification process simpler, easier and much less time-consuming.
If the focus is placed on making it less expensive?being respectful of the retailers' right to make a living?and a lot faster, there's a fine chance Visa might be able to save its threats for mid-sized retailers who need the motivation.