“What’s an Acquirer?” And Other Noteworthy SME Questions
Written by David TaylorJuly 15th, 2009
Small business owners may be too ignorant to ever be PCI compliant. PCI Columnist David Taylor recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.
Pretty darn basic, actually. For example, at the live SME-oriented seminar, after listening to three different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, Taylor had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got Taylor thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples....
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
Pages: 1 2
3 Comments | Read “What’s an Acquirer?” And Other Noteworthy SME Questions
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
July 16th, 2009 at 11:14 pm
Small to medium retailers simply aren’t interested in PCI. PCI isn’t like a tax or a fine, where you pay some amount to avoid trouble, and then it’s done. To anyone who is paying the slightest amount of attention, PCI means you’ve got to do a lot of hard work, you have to hire expensive consultants in Italian suits, you have to pay a lot of people to learn stuff, they make a lot of noise but don’t seem to accomplish much, they get in your way with security stuff when you’re just trying to run your business, and in the end you see no results other than employees blocked from doing their jobs and a very expensive filled out checklist.
A SME gets nothing tangible out of following PCI. Nothing. If you tell him he’s avoided a risk, he’ll say “staying in business is a hell of a risk, one more either way doesn’t make a difference.”
If you want people to pay attention, give them incentive. (Avoiding a $25 fine is not incentive, it’s a punchline.) Where is the “Certified secure by Visa” logo door stickers? Where is the “This institution is PCI DSS certified, Visa will insure your transactions and credit are safe and will spend up to $10,000 to help repair your credit” disclaimer that retailers can print on their receipts? Where is the insurance program that gives retailers discounts for completing their PCI DSS audits?
If Visa is mandating this but is not willing to put anything on the line, why should the retailers even listen?
July 17th, 2009 at 12:51 am
Dave Taylor replied: I couldn’t agree more, Mr or Ms “Reader.” Like the story I was telling about the head of the SME who simply couldn’t understand what all the fuss was about PCI, when all her company had to do was pay a $25 monthly fine. Her point was that if the fine is so low, PCI compliance must not be very important.
Your incentive point is also “right on.” One of the F500 retailers I did a PCI compliance plan for specifically asked their acquiring bank and Visa if they could get “PCI Compliant” stickers for all their stores once they passed their assessment, and they were told no by both the bank and Visa, supposedly because it would make them a “target” of hackers. Which is the opposite of the reasoning for putting “Secured by ADT” stickers on our homes.
July 17th, 2009 at 4:25 pm
The only kinds of incentives that can actually get any attention from a SME merchant — and guaranteed to ALWAYS do that — are something that promises a “sales lift” or “cost reduction.” And preferably both at the same time. Unfortunately, PCI mandates are pretty much the opposite of that by offering a sales decrease (time spent away from the main job) and a cost increase (new hardware, scans, monthly fees, etc.) With such a resounding absence of carrots, it’s amazing we have gotten anywhere at all with them.