High Cost vs. High Risk: the Conundrum of PCI Compliance for Small Retailers
Dec 18, 2020
As if they don’t have enough to worry about, many small and mid-sized retailers face increasing risk of fines for non-compliance with basic regulatory standards around protecting consumer safety. In addition, the COVID-19 pandemic has forced many brick-and-mortar merchants to increase their volumes of e-commerce and over-the-phone transactions that may not use hardware-based Point of Sale systems.
PCI guidelines require any merchant that accepts credit or debit card payments to demonstrate and document safe practices when processing customers’ personal payment information. These include detailed self-assessments as well as quarterly external network scans by Approved Scanning Vendors (ASVs) to validate adherence to industry requirements as well as gauge the merchant’s vulnerabilities to attack.
The network scans involve individual assets, each of which has an associated IP address that can be either private or public. Scanning assets with public IP addresses provides the company the same visibility an external hacker would have. Private IP addresses assess the vulnerabilities inside the network; these could be potentially exploited by either a malicious actor or by malware that has breached a network.
Penalties for violations are similarly tiered, and can range from $5,000 to $100,000 a month. While levied against the banks that acquire the transaction, the fines are typically passed downstream to the merchant responsible for the violation. In addition to absorbing the cost, merchants often face increased transaction fees, legal actions, terminated bank relationships and damaged reputations.
The stakes, in other words, are significant. While major retailers generally have the resources and expertise to accommodate PCI requirements, smaller retailers – those that fall into the lower two categories of transaction volume – are at a disadvantage. For one thing, for a retailer struggling with limited technology resources, the proportional cost of a network scan can be exorbitant. A more specific problem is that ASVs typically focus their attention on the larger customers who provide a more attractive profit margin. Moreover, they to use a bundling model to price their services, whereby scans are conducted in multiples of tens of thousands of scanned IP addresses. From the retailer’s perspective, this results in paying for scans they don’t need.
Faced with limited resources and a lack of options, as many as 91 percent of retailers simply ignore the PCI mandates and hope for the best. But with both regulatory scrutiny and nefarious activity on the rise, that’s simply not a viable strategy for the long term. One potential option lies in evolving network scanning services that take a more granular approach to pricing. Under such models, customers pay for much smaller bundles of IP addresses, so that the scan is scaled to the size of the business. From a delivery standpoint, this model can, depending on the methodology, be structured to be profitable for the vendor, thereby creating an environment to incentivize competition for a new market segment. In addition to getting access to state-of-the-art scanning technology, value-added resellers can provide insight and specific recommendations on how to mitigate or eliminate vulnerabilities.
In today’s environment, following PCI guidelines is vital to the long-term success of any merchant that processes card payments. Contact us to learn more about innovative approaches for small retailers seeking to comply with PCI requirements.