Benchmarking Level 4 Merchant PCI Compliance: The Acquirer s Perspective

Benchmarking Level 4 Merchant PCI Compliance: The Acquirer s Perspective A Research Report January 2012

Table of Contents: Page: Executive Summary...3 Methodology and Audience Profile...4 Topline Benchmarks...5 Key Findings...6 Detailed Findings and Commentary...8 Recommendations...18 2

Executive Summary: Wanted: Level 4 PCI compliance benchmarks Level 4 defined Level 4 merchants, as defined by Visa, are merchants processing less than 20,000 Visa e-commerce transactions annually. For brick-and-mortar and other retailers, Level 4 merchants are those that process up to 1 million Visa transactions annually. For the last three years, through a series of comprehensive surveys of Level 4 merchants, ControlScan has extensively studied the viewpoints of small merchants regarding PCI compliance. ControlScan s recently-published 2011 survey found that two trends small merchants low awareness of PCI and their apathy about the risks of a data compromise have directly translated into lackluster merchant compliance efforts. Researchers dubbed the twin trends a perfect storm of complacency. Curious about the other side of the coin, in October 2011 ControlScan, in partnership with the Merchant Acquirers Committee, conducted their first annual survey of acquirers, including banks, payment processors and ISOs. This 2011 Acquirer Study focuses on the experiences and viewpoints of acquirers in helping small merchants comply with the Payment Card Industry Data Security Standard (PCI DSS). It was conceived from the industry s frustration with the perceived lack of progress with PCI compliance among small merchants and with the lack of visibility into industry benchmarks for measuring progress. This survey provides new insight and texture into small merchant PCI compliance trends. The survey corroborates recent research by Verizon, Visa, and Gartner, and focuses more attention on areas that were lightly addressed in prior research. For example, Visa reports moderate compliance by Level 4 merchants with stand-alone terminals and lower compliance by those using integrated payment applications. Gartner s PCI Compliance survey found that 89% of Level 1 merchants are PCI-compliant, yet only 57% of Level 2 through 4 merchants are PCI-compliant a range too broad to truly understand Level 4 merchant compliance. 3

Methodology and Audience Profile Conducted in October 2011, this first annual survey was sent to randomly selected Independent Sales Organizations (ISOs), banks and processors listed in the databases of two separate entities: ControlScan, which provides PCI compliance and security solutions designed for small merchants and the acquirers that serve them, and Merchant Acquirers Committee, an organization of bankcard professionals involved in the risk management side of card processing. In all, 146 companies completed all or parts of the survey. The population of responders had the following characteristics: Audience profi le by Percent of responses Business classification: Bank...15% ISO...45% Processor...32% Agent...3% Other...5% Size of Level 4 portfolio: <1,000 accounts...26% 1,001 5,000 accounts...26% 5,001 10,000 accounts...15% 10,001 50,000 accounts...12% >50,000 accounts...21% An overwhelming percentage (94%) of respondents said they have a PCI program in place for their Level 4 merchants. As indicated in the audience profile, 92% of survey respondents represent banks, ISOs and processors. The table below shows, by these three business classifications, how long PCI programs have been in effect. Duration of compliance program Overall Bank ISO Processor <6 months 5% 0% 8% 6% 6 months-1 year 16% 25% 20% 9% 1-2 years 39% 31% 47% 32% 2-3 years 29% 19% 25% 38% >3 years 11% 25% 0% 15% 4

Overall, 61% of programs have been in place for two years or less, so the duration of programs is still maturing based on the length of time the PCI DSS has been in place. Only 6% of respondents did not have a PCI program in place. Asked why, most cited one of two reasons: Lack of resources (44%) Plan to offer a program, but haven t yet (33%) Topline Benchmarks Getting right to the point, here is a high-level snapshot of some of the study s key benchmark findings: Respondents have favorable views of PCI compliance programs. Fifty-seven percent say merchants see value in their PCI program. Seventy percent of respondents believe that their PCI program reduces small merchant breaches. Fifty-four percent of respondents say their PCI compliance rates exceed 40%. Sixty-one percent of processors achieved this level of compliance, but only 32% of banks exceed the 40% compliance rate. Respondents with higher compliance rates report fewer merchant data breaches. For example, 33% of all respondents said at least one of their merchants experienced a data breach during the last 12 months. For respondents with the highest compliance rates, however, the number reporting data breaches drops to 17%. Half of respondents charge at least $71 a year for PCI compliance. Sixty percent of banks charge less than $71 a year. Eighty-one percent of respondents outsource all or parts of their PCI program to third-party providers. Fifty-two percent of respondents impose non-compliance fees for merchants who are not PCI compliant. Of respondents that levy non-compliance fees, 75% charge the merchant $11 to $25 a month for non-compliance. Only 22% of respondents are making more than 5 educational communications annually with their merchants to drive awareness of PCI and to improve compliance. More detailed benchmarks and discussion can be found in two sections: the Key Findings section beginning on page 6, and the Detailed Findings and Commentary section beginning on page 8. 5

Key Findings Acquirers with higher compliance rates do more. Overall, the benchmarking study suggests that acquirers have a positive outlook on PCI compliance. Respondents believe that employing a PCI compliance program for their Level 4 merchants reduces the risk of a data breach. Moreover, respondents believe that merchants see the value of PCI compliance. Compared to acquirers with low PCI compliance rates, the study found, acquirers with portfolios that have higher PCI compliance rates tend to have these attributes: They monitor their PCI programs more frequently. They offer more tools to help merchants achieve compliance. They typically have lower rates of merchant attrition. They outsource some or all of their PCI program to a third-party provider. They believe merchants see the value of PCI compliance programs. Fewer of them say that their merchants have experienced a data breach in the last 12 months. They believe their programs are beneficial in reducing small merchant data breaches. They use non-compliance fees to drive action from merchants. Processors lead the pack in achieving merchant compliance. Fifty-four percent of respondents claim overall compliance rates for their merchant portfolios that exceed 40%. Among the three major business types surveyed, the 41%-and-up compliance range was claimed by 32% of banks, 54% of ISOs and 61% of processors. Acquirers with higher compliance rates are seeing fewer data breaches. Overall, one third of respondents said at least one of their merchants experienced a data breach during the last 12 months. However, as the compliance rate increases, the occurrence of at least one breach in the last 12 months decreases: Of the respondents reporting this level of PCI compliance... <10% 11%-25% 26%-40% 41%-60% >61% this percentage said at least one merchant had a data breach in the last 12 months. 100% 50% 36% 21% 17% 6

Perception of PCI s value has a strong correlation to compliance rates. Acquirers reporting high compliance rates say that merchants see the value of their PCI programs. The value perception drops off among acquirers with lower compliance rates. For example: Among respondents with a compliance rate in the 11%-25% range, only 29% felt that merchants value their PCI compliance program. In contrast, among respondents reporting compliance rates over 61%, 67% say the program is valued by merchants. The survey also revealed a correlation between high compliance rates and respondents agreement with this statement: PCI compliance reduces small merchant breaches. Acquirers need more touch points with merchants to improve PCI compliance. Given the widespread acknowledgment that small merchants are struggling with PCI compliance, it s surprising to find that acquirers aren t being more aggressive in their outreach/education initiatives. Respondents are making only a modest number of contacts with merchants to improve compliance levels. The most common communication channels used for merchant education and engagement are statement messages and inserts, emails, direct mails and Website content. However, even high-compliance respondents are making meager use (4 or 5 contacts annually) of these touch points. Non-compliance fees are the preferred method for driving compliance. Respondents appear to be using non-compliance fees as their primary technique for driving merchants toward compliance. Asked what methods they use to boost merchants compliance rates, 52% of respondents said they are charging non-compliance fees. This is the preferred approach of ISOs (65% levy fees). Alternatively, 22% of respondents offer non-complying merchants a carrot : They discount the merchant s PCI program fee in exchange for prompt action. Many respondents with lower compliance rates use no technique at all to encourage merchant engagement. Acquirers with higher compliance levels use more tools and technologies. Respondents with higher compliance rates tend to make heavier use of additional tools. In addition to the Self Assessment Questionnaire (SAQ) and vulnerability scanning, the most prevalent tools respondents use to drive compliance are security awareness training, security policy templates, and consulting. End-to-end encryption and tokenization are technologies that help merchants reduce the scope of PCI. Overall, 50% of respondents led by acquirers with high compliance rates say they currently offer or are considering offering one or both of these technologies. 7

Outsourcing is in with acquirers. The vast majority (81%) of respondents are outsourcing all or a portion of their PCI program to a third-party PCI provider. This finding suggests that acquirers are focusing on their core competencies, leaving peripheral functions to specialists. Detailed Findings and Commentary 1. Who manages your company s PCI compliance program? Manage the program in-house, using proprietary 13% technology Other 6% Manage in-house, but use a 3rd 54% party provider s technology for merchants to complete PCI Outsource to 27% 3rd party provider Banks, ISOs and processors are relying heavily on third-party providers to manage some or all of their PCI compliance programs. Banks are the group most likely to use outsiders. 2. Please rank the goals for your company s PCI compliance program (1 is most important). Reduce risk resulting from breaches of cardholder data 1 Meet card brand requirements 2 Achieve high compliance rates 3 Generate additional revenue 4 Most respondents claim that reducing risk resulting from breaches of cardholder data is their primary goal for PCI compliance. Only one subset of respondents those organizations with compliance rates less than 10% rated generate additional revenue above achieving high compliance rates. 8

3. Does your current merchant agreement require merchants to be PCI compliant? Yes 89% 11% No Across all categories, the vast majority of respondents say they require merchants to be PCI compliant as part of their merchant agreement. The percentages were highest among processors and with companies having larger (more than 5,000 merchants) Level 4 merchant portfolios. 4. Does your current merchant agreement allow you to pass PCI fines down to the merchant? Yes 94% 6% No Overwhelmingly, respondents report that their merchant agreements allow them to pass PCI fines down to their merchants. The percentage hits 100% for companies with 50,000 or larger Level 4 merchant portfolios. 9

5. How did you roll out your PCI compliance program? Risky merchants only 3% Segment by risk riskiest fi rst, phase remaining merchants 17% overtime Other 7% 55% Entire portfolio at same time Newly boarded 18% merchants, then to entire portfolio Acquirers use a variety of approaches for rolling out their PCI compliance programs to their Level 4 merchant portfolios. A portfolio-wide approach is the most popular choice, especially with smaller portfolios. Larger portfolios prefer the portfolio-wide rollout, too, but are more likely to dabble in segmented approaches, such as starting with the riskiest merchants. 6. What is the current PCI compliance achievement rate for your PCI compliance program? <10% 6% 13% 11%-25% >61% 30% 27% 26%-40% 41%-60% 24% Half of respondents claim compliance rates exceeding 40%. This finding is more favorable than two other recent research reports: Visa found that Level 4 merchant compliance is moderate (not defined); in ControlScan s Third Annual Survey of Level 4 Merchant PCI Compliance Trends (November 2011), 35% of small merchants claim to be PCI compliant. Among the three major business types surveyed, banks reported the lowest compliance rates, with 69% of banks claiming compliance rates from 11%-40%. The 41%-and-up compliance range was claimed by 32% of banks, 54% of ISOs and 61% of processors. 10

7. How much do you charge merchants to participate in your PCI program? $101-$125/year 10% >$126/year 8% No charge 12% 18% <$50/year $71-$100/year 31% 21% $50-$70/year Most respondents say they charge compliance fees in the $50-$100/year range. No correlation was found between pricing and compliance rates. Interestingly, banks typically charge lower fees (60% say their annual fees are $50-$70 or lower), and their compliance rates are lower than the two other major audiences surveyed (69% claimed compliance rates from 11%-40%). 8. What communication channels do you use to educate and notify merchants about PCI and your program? Choose all that apply. Statement messages/inserts 79% Email 71% Direct Mail 55% Website 54% Welcome Kit Insert 53% Outbound Call 51% FAQs 25% Newsletter 18% Webinar 12% Fax 11% Other 6% Video 3% All Of The Above 0% None Of The Above 0% Respondents claim to be using a wide variety of communication channels or touch points for merchant education and engagement. On average, respondents employed four different channels (for example, statement messages, direct mail). Companies with compliance rates less than 10% averaged three channels; companies with compliance rates 41% and higher reported using about 4.5 communication channels. 11

Several respondents commented that their educational efforts are augmented by phone calls and emails from their outsourcing partners. Only 39% of respondents said they are contacting merchants four or more times annually. Clearly, there is an opportunity for more outreach to small businesses that need to be educated about PCI and walked through the compliance process. 9. Which techniques do you employ to get merchants to take action? Check all that apply. Impose non-compliance fees until 52% merchant achieves PCI compliance RESPONDENTS COMMENTS We advise merchants that compliance is required and their merchant service may be discontinued if compliance is not achieved. RESPONDENTS COMMENTS Non-compliance fees are refunded once compliance is achieved. Offer discounts on PCI compliance if 22% merchant takes action by certain date None 19% Other 15% Provide PCI compliance at no charge 11% Of all the techniques used to drive action from merchants, the preferred approach is to charge non-compliance fees. This approach is especially popular with ISOs (65% levy fees). A favorite carrot technique of respondents claiming higher compliance rates is to offer discounts on PCI compliance if the merchant takes action by a certain date. Most respondents, however, aren t using a combination of techniques (a carrot-and-stick approach). Those with lower compliance rates had higher percentages of using no technique at all to drive action. 10. What do you charge merchants for non-compliance fees? 75% $11-25/ month <$10/month 19% >$25/month 6% Of respondents who say they charge non-compliance fees, 75% are charging in the range of $11 to $25 a month for non-compliance. 12

11. When do you start to impose non-compliance fees? >7 months after launch and not compliant 6 months after launch and not compliant 11% 4-5 months after launch and 11% not compliant 11% Immediately after program launch 8% 59% 2-3 months after launch and not compliant Of respondents that charge non-compliance fees, 59% start charging non-compliant merchants two to three months after the program launches. Banks vary most from the norm; only 33% of the bank respondents start charging after two to three months, and the remainder start after six months. This extended length of time may be an indicator of banks lower compliance rates. 12. Have you found that imposing non-compliance fees has resulted in more merchants achieving PCI compliance? Yes 80% 20% No The vast majority of companies charging non-compliance fees consider it an effective technique to drive action. Companies with compliance rates less than 10% are the only exception; only 33% claim non-compliance rates to be effective and much of this may be related to when and how these fees are communicated. 13

13. How often do you monitor the results of your PCI compliance program? Other 4% Quarterly 11% 19% Daily Monthly 41% 25% Weekly Banks, ISOs and processors regularly monitor their PCI programs. Only 14% of all respondents monitor less frequently than monthly. Fifty percent of acquirers with the highest compliance rates monitor their programs daily or weekly. 14. Do you offer any additional tools or services, beyond access to the Self Assessment Questionnaire and Vulnerability Scanning, to help merchants meet specific PCI DSS requirements? Yes 52% 48% No Compliance rate appears to be correlated with the propensity to provide additional tools to help merchants achieve compliance. Of respondents with compliance rates of 41% or greater, more than 60% claim to offer additional tools. Respondents offer an average of 2.2 tools. Of the tools respondents say they offer, such as security policy builder and security awareness training, most are included at no additional charge in popular PCI compliance programs. A high percentage of respondents offer consulting, but much of it may be driven by customer support through the SAQ and scanning process. Other tools were items such as breach protection, PCI compliant terminals and card data locator software. 14

15. Are you currently offering or considering offering end-to-end encryption or tokenization technologies to help your merchants reduce their PCI scope? Yes 50% 50% No While respondents overall were split on this issue, bank respondents and respondents with low (less than 10%) compliance rates expressed little inclination for offering either technology. On the other hand, those with greater than 60% compliance rates favored offering the technologies by a 2-to-1 margin. Watch for moves or additional guidance by the PCI Security Standards Council in coming months to encourage adoption of these and other measures to reduce scope of what is required to achieve PCI compliance. 16. What challenges have you faced in implementing/running your PCI compliance program? Choose all that apply. Lack of resources to support program 41% Merchant Attrition 41% Little knowledge of specifi c PCI compliance requirements 31% Other 26% Lack of traction within your own organization 20% RESPONDENTS COMMENTS We see strong resistance from merchants and sales reps due to lack of understanding of the necessity for PCI compliance. Overall, there was a tie in responses for the two biggest challenges respondents face in implementing or running their PCI program: merchant attrition and lack of resources to support a compliance program. For respondents with 41% or greater compliance, merchant attrition was the dominant concern. Respondents with less than 41% compliance, however, were more challenged by a lack of resources. 15

17. What percentage of merchants has left your portfolio on a monthly basis as a result of your PCI compliance program? <1% 37% 27% 1%-2% Don t Track 29% >5% 3% 4%...3%-4% The surprise here is that 29% of respondents admit they don t track attrition numbers. That s doubly true of those with compliance rates less than 10%: 67% of this group do not track attrition. The most avid attrition trackers: firms reporting the highest compliance levels. 18. Do you work with your merchants to ensure that their third-party service provider(s), gateways, etc., are PCI compliant? Yes 86% 14% No Across all categories, the vast majority (86%) of respondents claim that they work with their merchants to ensure that their third-party service provider(s), gateways, etc., are PCI compliant. Respondents companies often have relationships with these providers, and many won t work with non-pci compliant providers. 16

19. Do you think your merchants value your PCI compliance program? Yes 57% 43% No Fifty-seven percent of respondents believe that merchants value their PCI compliance program a positive sign. The percentage of respondents with that belief increases sharply in the higher-compliance categories. This points to an opportunity for companies to better communicate the value of PCI compliance for the merchant s business. 20. Have any of your merchants experienced a data breach in the last 12 months? Yes 33% 67% No Thirty-three percent of respondents reported that one or more of their merchants have experienced a data breach in the last 12 months. There is a strong inverse correlation between compliance rates and experience with data breaches: As compliance rate goes up, fewer of the respondents reported one or more merchant data breaches. This supports the Verizon Breach study finding that fewer merchant breaches come from PCI-compliant merchants. 17

21. Do you believe that your PCI compliance program has been beneficial in reducing small merchant breaches? Yes 70% 30% No Another positive sign that PCI provides value: Respondents reporting the higher compliance rates also are more likely to believe that their PCI programs are beneficial in reducing small merchant breaches. In contrast, 57% of companies with compliance rates under 10% believe that PCI helps reduce small merchant breaches; for companies with compliance rates over 61%, 77% have that belief. Recommendations As noted in the Topline Benchmarks section, acquirers are optimistic about PCI compliance. They believe merchants see value in their PCI program and that having a program in place effectively reduces the number of breaches. The acquirer optimism is encouraging, given the findings of various other studies about merchant attitudes. Recent studies report that high proportions of small merchants are not embracing PCI. For example, ControlScan s 2011 merchant PCI compliance survey found that awareness of PCI among retailers with 10 or fewer employees is low: only 53% of these respondents have some familiarity with the PCI DSS. As Verizon stated in its 2011 Payment Card Industry Compliance Report, Security, and by extension, compliance, are still considered to be a drag on the economy by most businesses rather than an assumed part of the risk of doing business. No single tool, policy or technique will change these attitudes. While it s encouraging that the majority of acquirers possess an optimistic attitude about PCI compliance, there is still much progress to be made. Acquirers are advised to fight complacency and negative perceptions with continued educational initiatives, enthusiastic service, new technology, and old-fashioned persistence. 18

Following these recommendations will help an acquirer to establish the firm as a leader in PCI compliance: Position PCI as a value. PCI should not be positioned as a nuisance that the merchant simply needs to get out of the way once per year. Rather, it is a way to improve security, reduce fraud, and attract customers who appreciate tight security of their personal data. Help merchants understand that it is in their best interest to protect their business and their customers confidential information. Educate your merchants frequently. This will help them to view PCI compliance as an ongoing process that you manage so they don t have to deal with it as a once-a-year project to pass a test using a check-thebox approach to compliance. Be sure that you have experts in house or use a third party that will be available to help the merchant through the process. To be forewarned is to be forearmed, so view education as an opportunity to equip your merchants with the information they need to protect their businesses. Monitor the results of your program closely. Frequent monitoring of program results makes the compliance job much easier. This will engage merchants and help them modify their practices as needed. The information can also help you determine which merchants need the most help; more educational opportunities may need to be applied based on where they are in the compliance process. Use additional tools and support to help merchants achieve PCI compliance. Ensure that they have what they need, all in one place. By including more tools in your offering of compliance support services, you improve merchants compliance and their perception of your value. Consider emerging technologies. Help applicable merchants achieve PCI compliance by equipping them with scope reducing technologies. With only half of acquirers and ISOs offering or considering offering end-to-end encryption and tokenization, there is a significant opportunity to create a competitive advantage with these services. Take a balanced approach to driving compliance. Although many of the respondents use non-compliance fees to drive merchant action and find them to be effective, non-compliance fees are not a silver bullet. Punitive fees can certainly influence outcomes at the outset of a merchant s compliance program; however, it is not likely to be effective as a long-term strategy for dealing with a wayward merchant. Even if you give the merchant three to six months to get compliant before the non-compliance fees kick in, you still need to have to have a long-term end game. 19

Alternatively, consider using non-compliance fees for a limited period, and then replace them with closer supervision, multiple touch points and new educational initiatives. This demonstrates your desire to deepen your relationships with merchants. Meanwhile, emphasize to non-complying merchants that their behaviors are introducing unacceptable levels of risk into your environment as well. This balanced approach can be invaluable for retention and goodwill. It shows that you are engaged in the compliance process and are prepared to help them achieve success. Couple these carrots with the threat of halting your service a stick that is much more serious than a relatively painless fee. To succeed with this approach, you must establish a very robust program for helping merchants along the way, while filtering out those merchants who will never achieve compliance. Running a robust and effective PCI compliance program takes commitment and resources. If you don t have the resources internally to effectively execute such a program, consider using outside experts to augment your efforts. About the Survey Sponsors ControlScan: Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions visit www.controlscan.com or call 1-800-825-3301. Merchant Acquirers Committee: MAC is an organization of Bankcard professionals involved in the risk management side of Card Processing. The organization has members from banks, ISOs, card associations and others related to the risk management side of the industry. MAC is dedicated to providing universal risk management solutions through ongoing communication and cooperation among acquirers and card associations. For more information visit https://www.macmember.org/ or email info@macmember.org. 2012 ControlScan All Rights Reserved. 20