This month's Transaction World is dedicated to security, but doesn't it seem as if acronyms such as PCI, SDT, and PABP have been beaten into every acquirer, ISO and MLS so many times that we are well up to speed? For most of us, the answer is "Yes, we get it." We have locked down our payment platforms, offices, and procedures in the hopes of avoiding a doomsday event such as the Card Systems breach of 2005. We have also followed all of the networks' rules and regulations regarding scanning higher risk businesses and polling the smallest Level IV merchants. However, there is one segment that represents the greatest risk to all acquirers and that is Integrated POS Systems (IPOS). Believe it or not, the majority of all payment data security breaches and fines stem from non-compliant IPOSs and the payment networks have no direct influence or control over their actions.
These IPOSs originate transactions from millions of merchants every day and that number continues to grow. As the price of computers has decreased over the years and access to IP connectivity has expanded to even the smallest and most remote businesses, more and more merchants have turned to IPOS. Acquirer's concerns over data security and IPOSs mount every day as we have been mandated to regulate the IPOS by the networks. However, an IPOS certifies its payment processing
capabilities to a processor, not an acquirer, and the processor often has no liability for the underlying transactions originating from the IPOSs. There are hundreds of IPOS in the market in varying business segments - some with thousands of installations, others with only a handful. In addition, these IPOSs are sold directly to merchants through a completely different distribution network to which acquirers do not have direct access. Finally, many merchants who bought an IPOS years ago have not upgraded their systems to newer versions because of incremental costs or their "it can't happen to me" mentalities.
As you can see, the IPOS industry is highly fragmented and a difficult audience to disseminate information. At the same time, acquirers have little to no leverage for enforcement of data security standards.
Do I enjoy the position we as acquirers have been put in? Absolutely not. It is precarious and completely unfair. However, as they say, "You can't fight City Hall." So, like you, I must work within the given infrastructure. As Acquirers, ISOs and MLSs, we all must work to educate the merchants on IPOS — and with the IPOS vendors themselves — and bar our distribution channels from boarding merchants with non-compliant systems. The fines and breaches will continue to pour in if we all don't band together to eliminate these points of compromise. From first-hand experience, I can tell you that these fines and breaches are real! As an industry, we must work together to mandate compliance because if just one ISO or Acquirer bends the rules, the entire process breaks and we all pay the price.  |
