Search Payments Views

Merchants Just Want to Sell Stuff

Vicki T

August 29, 2016

Anyone who’s been in a Glenbrook Payments Boot Camp session with me has heard me emphatically stress that merchants “just want to sell stuff – they don’t want to be in the payments business”.

Of course many larger and more sophisticated merchants have figured out how to use payments strategically to increase sales – think private label credit, friction-reducing checkout, cross-border tender types, etc., – and/or to lower operating costs, but most of this is lost on the smaller Tier 3 and Tier 4 merchants. Those merchant tiers encompass the “mom and pop” stores – single store boutiques, dry cleaners, cafes and such, up to merchants with a few locations – generally generating up to a few million card transactions per year.

So where am I going with all of this? I was recently catching up with a former colleague of mine who is now head of sales at a major acquirer, discussing security solutions targeted at these Tier 3 and 4 / SMB merchants. I was lamenting what I consider to be a sad state of affairs in these segments, that relatively simple card security solutions have been in the market for years, but are not getting routinely deployed.

More specifically, I’m referring to what is known as “P2PE” – Point-to-Point Encryption solutions that essentially encrypt card data as it enters a point-of-sale device via a mag-stripe swipe or dip of the EMV chip and passes it securely to their card processor where it can be decrypted and sent to the card networks for processing. The overall goal, of course, is to get “radioactive” card data out of the merchant’s environment, protecting what is sometimes known as “data in flight”.

It’s worth pointing out that the PCI Data Security Council, the organization that sets industry-wide standards for card-related security, mandates that “data at rest” be encrypted in some fashion, but does not mandate point-to-point encryption. Instead, it does provide guidance on various other ways to protect data as it’s being transmitted from the point of sale to the merchant’s processor.  That said, the organization has provided “P2PE Solution Requirements and Testing Procedures” as well as associated FAQs[1].

In my opinion, P2PE is the closest thing to a silver bullet that we have to protecting mag-stripe and EMV transactions at Tier 3 and Tier 4 merchants right now, and it will be for a number of years until we have a critical mass of tokenized Apple Pay/Android Pay/Samsung Pay/Fill-in-the-Blank Pay transactions at physical POS (note that even the EMV specs don’t specify encrypting card data out the back end of the terminal).

Yes, this isn’t a trivial problem and with security every detail matters. If keeping merchant equipment out of PCI scope is the goal, then where encryption takes place and the path that data takes—back through the POS system or direct to the processor in the semi-integrated manner—makes a difference. Protection has to be in place at the application layer and over the communications link. But this is all settled science. There’s no mystery here.

So my problem is not that we don’t have the technology to protect these merchants with an affordable solution; my problem is that as an industry, we aren’t doing it. Instead, we are assaulting these poor SMBs with incomprehensible concepts such as “PCI compliance”, “mandated industry security standards” and the need to be “PCI certified”.  Why?  Shouldn’t the industry just build P2PE-type solutions into every point-of-sale device”?

And by the way, I should mention that it is now standard practice for most acquirers to charge their merchants monthly or annual “PCI Compliance Fees” that do NOT include installing P2PE on their terminals.  Oh yeah, and if the merchant is deemed to not be PCI-compliant, the merchant is usually hit with, you guessed it, a “PCI Non-Compliance Fee”.  And most acquirers charging PCI Compliance and Non-Compliance fees also sell security insurance to many SMBs to protect against potential fines and penalties stemming from data breaches that P2PE and tokenization could have mitigated in the first place.

Just to be clear, I’m not saying that P2PE and tokenization are sufficient to totally obviate SMBs having to think about card security. Merchants still need to be cognizant of how they handle physical cards, what they print on receipts, reports that may contain full account data, ensuring their terminals haven’t been tampered with, etc.  What I am saying is that the greatest risks can be largely mitigated relatively painlessly and cost-effectively.

To be fair, some acquirers do routinely install P2PE into their devices without explicit charges for it. They just build the cost into their pricing and/or include it into an add-on service such as data breach insurance. Although I really have to wonder about those acquirers that are happy to sell the SMBs data breach insurance without even requiring P2PE. I can only assume that they make more money paying off a claim here and there versus the cost of implementing P2PE.

But why are most acquirers not routinely implementing P2PE solutions as a matter of course? First, there is a cost to it – they need to modify, test, and certify their terminal apps as well as implement secure encryption key management practices (like they already do anyway with PIN pads). In addition, there are often technology licensing costs. And, in fact, many acquirers feel that the small merchants won’t pay them an explicit fee to cover these costs. But of course, it is now an industry standard to charge either PCI compliance or non-compliance fees that the merchants do pay. I have no idea how common this is, but I actually had an acquirer for a non-profit I volunteer for tell me that Visa and MasterCard required them to charge us those fees.

I don’t realistically believe that shining a spotlight on this issue will make much of a difference in the marketplace, but I do want to acknowledge those acquirers that are “doing the right thing”. I hesitate to mention those that I know of lest I forget some. But please feel free to acknowledge those that are in the comments section below. And as always, I’d truly appreciate your thoughts and perspectives.

[1] pcisecuritystandards.org/document_library?category=p2pe&document=p2pe_solution_requirements

1 Comment

  1. I think this problem exists in part because the PCI Council has set the bar so high for validated P2PE solutions. There are still relatively few choices, and even merchants who want P2PE are at the mercy of their vendor to integrate with a validated solution provider. Savvy merchants are looking for guaranteed scope reduction and that shorter SAQ. Using an encryption solution not on the council’s list means being more secure, but either spending money confirming that most controls no longer apply or spending money maintaining those now-redundant controls.

    The other problem is acquirers’ general need to profit. The stock market would beat them up if they turned off the faucet of compliance/non-compliance fee money unless they replace it with new revenue from P2PE fees. Merchants watching the bottom line have far less incentive to upgrade, given hardware costs plus ongoing P2PE costs. Until either acquirers decide it’s more profitable to give away P2PE or the council mandates it, tier 3-4 P2PE adoption will be the exception rather than the rule.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Recent Payment Views

Will We See Ongoing Success of Buy Now Pay Later?

Will We See Ongoing Success of Buy Now Pay Later?

Buy now pay later (BNPL) has become a global phenomenon. The global BNPL market size was valued at USD 15.91 billion in 2020 with growth to 90.51 billion by 2029 (source 1). If BNPL isn’t in your market today, it will likely be soon.  Look at any major country...

read more
2023: A Big Year for Regulation in the US?

2023: A Big Year for Regulation in the US?

As we dive into the new year, we at Glenbrook reflect on the key themes and learnings within payments from 2022 and assess what we believe will emerge as key trends in 2023. My colleague Chris Uriarte recently shared his 8 Payments and Fintech trends for 2023 on...

read more
Decoupled Debit: How Fintechs Profited  from Durbin

Decoupled Debit: How Fintechs Profited from Durbin

This Payments Views post was jointly authored by Neel Saunshi and Andrew Liang If you have followed the Durbin Amendment since its 2011 implementation, you have seen stakeholders adapt in different ways. Consumers saw their debit rewards programs disappear. Large...

read more
Payments Partners: The Identity Industry

Payments Partners: The Identity Industry

Time to Read: 9 minutes The problem of knowing who to trust on an insecure, anonymous network has concerned me since I founded an ISP in 1995. With thousands of subscribers, it was the first time I confronted bad online behavior. As a payments geek, I’ve seen plenty...

read more

Glenbrook Payments Boot Camp®

Register for the next Glenbrook Payments Boot Camp®

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot Camps tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

Glenbrook Press

Comprehensive books that detail the systems and innovations shaping the payments industry.

Launch, improve & grow your payments business