As many ISOs now understand, small merchants are big business: There are 6 million small businesses in the U.S., defined as those with fewer than 100 employees. These privately owned corporations, partnerships or sole proprietorships account for $350 billion in financial services and product revenue annually.
87% have fewer than 5 employees, and many have developed an online presence to compete with larger businesses. However, these small merchants are vulnerable to data security breaches: Visa says that 85% of reported compromises come from level 4 (low transaction volume) merchants, and less than 10% of merchants in this category have validated compliance with PCI DSS. Compliance mandates for these merchants are less strict, yet the consequences of a breach in terms of fines and lost business is every bit as onerous. How can ISOs help these merchants to mitigate risk without significant costs? We'll look at some simple suggestions to help small merchants, both with their
in-store ("bricks"), and their online ("clicks") transactions.
Securing the Bricks
For many ISOs, particularly those dealing with Level 2 and higher merchants, the steps to achieving and maintaining compliance are old news. However, for Level 4 Merchants, the low compliance rate indicates that many have yet to find a simple route to compliance. Level 4 merchants are defined by Visa as those processing fewer than one million total transactions (or less than 20,000 e-commerce transactions) each year. To achieve compliance, Visa requires these merchants to complete a self-assessment questionnaire (SAQ) yearly.
What should Level 4 merchants do to ensure they achieve and maintain compliance? Reviewing the SAQ shows merchants what is expected of them. ISOs can play a key role in actively reviewing this document with merchants, helping them to pinpoint areas of concern, making the compliance burden an easier one. There are a few key tips that merchants can benefit from. ISOs should counsel their small merchants to avoid storing cardholder data, which simplifies their compliance requirements and reduces the risk of a breach. Merchants should also take a look at their POS systems: they should be using PA-DSS validated applications. If they are not, they should seek out a replacement: often, this is easier and more cost- effective than it looks. The merchant can sometimes retain their existing system, simply swapping out the payment component for a PA-DSS validated replacement, often referred to as a "payment" engine. When it comes to POS equipment and systems, remind merchants to change vendor-set default passwords. It seems like such a simple thing, but often these easy fixes can significantly decrease the merchant's vulnerability. To those merchants who bemoan the costs of upgrading to a PA-DSS validated application, remember that the costs of a breach are significant and ongoing, including fines. If history is any guide, PCI requirements will continue to evolve to combat emerging threats, with formerly voluntary compliance tasks becoming mandatory. Small merchants who meet these requirements today will not be scrambling to attain compliance someday in the future.
The "Bricks and Clicks" Merchant
Many smaller merchants now have websites, many with online purchasing. Competing with larger companies, these merchants must provide this service to their customers in order to stay relevant. However, Level 4 merchants accepting e-commerce transactions need to understand
their risks and responsibilities.
E-commerce fraud is huge, with an estimated $4 billion impact on U.S. merchants annually. Smaller merchants are particularly vulnerable: they rarely have the resources and tools to completely mitigate the risks involved. What are these risks? While Level 4 merchants can process up to 20,000 transactions per year without triggering any additional PCI requirements, there may be PCI implications if your e-commerce set-up stores, processes or transmits cardholder data. If your e-commerce website collects and stores cardholder data in a database on your server, for example, you are now subject to a more costly and onerous PCI exercise. Most merchants do not store cardholder data themselves; once entered online by the customer, the data is typically transmitted to a payment processing gateway for authorization by the processor. However, by "transmitting" this cardholder data, merchants are subject to more stringent PCI requirements, which can be costly for small merchants. Other areas of risk for smaller merchants include using software that does not verify transactions using the CVV or AVS code, a common cause of chargebacks. Hackers can also wreak havoc on an
e-commerce website by creating authorization requests from unknown servers, to verify whether a credit card is a good target for fraud.
While it may seem as if e-commerce is a risky endeavor for a small merchant with few IT resources, there are actually simple ways to mitigate these risks, and compete on a level playing field with larger e-commerce merchants. First, look for shopping cart software that takes over at an earlier stage in the transaction, completely removing the entry of cardholder data from your website, so that you, as a merchant are not responsible for this data from a PCI standpoint. There are e-commerce payment engines that provide this security, taking over when the card data is entered while allowing merchants to retain the look and feel of their own website. When the user is "passed over" to the e-commerce portion, it continues to feel as if they are in the merchant's website— a more reassuring, seamless experience for the user, which could minimize aborted sales. Second, make sure
e-commerce software/shopping carts verify CVV/AVS codes, which is a key tool in reducing chargebacks. Finally, some payment engines designed for
e-commerce have a validation feature that checks with the web store's server to make sure the transaction request was from a valid customer, preventing fraudulent transactions from hackers. 
|
