payments - Retail Systems
payments - Retail Systems
payments - Retail Systems
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
RS<br />
34 RS June - July 2012<br />
roundtable<br />
JK: It is for the small merchants – it’s just easier for them.<br />
AY: My question to you Jeremy is; where do they go? Some of<br />
them don’t even know what PCI is and they wouldn’t know who<br />
to outsource to if you asked them. There are great solutions<br />
out there, some with one vendor, others across several vendors.<br />
JK: They have a relationship with their acquiring bank and so<br />
that has to be the gateway for them. How good it is, I don’t<br />
know. Some of the acquirers will have hundreds of thousands<br />
of small merchants. Do they talk to them all individually or do<br />
they just blitz them? However, those acquirers will have access<br />
to suppliers who are PCI approved service providers so they can<br />
give the smaller merchants this information. Essentially I’ve got<br />
to work with the UK cards and the UK acquirer groups. Firstly<br />
we need to be able to get some information to the merchants<br />
and then once they’ve read that give them a list of people they<br />
should be talking to, let them know how much it’s going to cost<br />
and tell them what they’re going to get. And we need to let<br />
them know what could happen to them if they don’t go this<br />
route. The brands don’t differentiate between big and small<br />
merchants when there’s a data breach, they just come in and<br />
hit you. For small merchants it’s end of game.<br />
AY: When chip and PIN came out there was a whole load of<br />
education. Not just to the consumers but to the retailers as well<br />
and that was pushed down by the acquirers. We don’t have that<br />
same infrastructure for PCI and I think it’s that whole education<br />
process that’s lacking, that’s what the retailers need.<br />
JK: In some regard we’ve done a sort of top down approach.<br />
We’ve started off at the big retailers and we’ve gone down<br />
to the next level and now we’re getting down to the smaller<br />
merchants. Whether that’s right or wrong, I don’t know.<br />
“Outsourcing PCI is key for tier 3 and 4 retailers.”<br />
AH: I think there’s a vast difference between the council<br />
interpretation of the standard and the acquirer interpretation<br />
of the standard. And sometimes you almost get the feeling that<br />
they don’t want you to worry. They want you to be seen to be<br />
trying so therefore there’s a small, tiny penalty per merchant<br />
should you not register with the PCI DSS there’s a small monthly<br />
fee, but that is all. So if you don’t meet the requirements you<br />
tick a box for an implementation plan and this is never reviewed<br />
and that almost gives you the ability to perpetually say: ‘We’re<br />
working on implementation.’ At the moment acquirers don’t<br />
appear to be serious.<br />
CP: UK card acquirers, who come together on a monthly<br />
basis and meet in a non-competitive environment, they’ve<br />
been really trying and worrying about how they’re going<br />
to get at the small business merchants. So, encouraged by<br />
Jeremy, they have started to put together an education<br />
package particularly focused at level 4 merchants around the<br />
e-commerce environment. That was sustained and upheld<br />
by the PCI council in the autumn. When the council asked for<br />
suggestions of what they should focus on in a 12 month period<br />
they got 31 suggestions, that was whittled down to 13. These<br />
were voted on by the participating organisations, of which there<br />
are over 600 across the world. The vote came out in favour of<br />
e-commerce solutions and education for smaller merchants but<br />
they broadened that and said e-commerce education. Here in<br />
the UK we’re focused on smaller merchants, looking at risk and<br />
looking at cloud. And in the UK the card acquirers have come<br />
together and they’ve written some guidance which has been fed<br />
into the special interest group, which will hopefully be published<br />
before September/October.<br />
AH: Say a retailer already knows what they’re meant to<br />
be doing. I meant in the process of monitoring someone’s<br />
compliance maintenance, there is the ability to just indicate<br />
that you have an implementation plan in place. Even if that plan<br />
is that you’re waiting for your payment supplier to provide a<br />
solution – that is also accepted. But this could roll over into a<br />
number of years and in my opinion it’s not a realistic review of<br />
that retailer’s compliance.<br />
CP: Waiting for your supplier is another area that is being<br />
addressed. The challenges for merchants has been that some<br />
of the suppliers are saying: ‘Well there’s nobody chasing me<br />
to do it. You’re going to pay for it Mr merchant.’ The merchant<br />
says: ‘No I’m not.’ So that’s also been addressed now. Visa<br />
particularly have launched a program to get the service<br />
providers to register online to indicate they are compliant or<br />
that their solution means card data is not in the merchant’s