Specialist IT security consultancy VigiTrust
has said that some merchant acquirers are getting too used to
income from PCI DSS non-compliance fines, and are not doing enough
to improve compliance levels.
The consultancy’s Managing Director, Mathieu
Gorge, said that acquirers profiting from fines levied against
non-compliant businesses are not doing enough to fill the knowledge
gap that exists among merchants – particularly small retailers.
Go deeper with GlobalData
Access deeper industry intelligence
Experience unmatched clarity with a single platform that combines unique data, AI, and human expertise.
However, when it comes to focusing the mind of
the merchant, he concedes that fines are undeniably effective. The
company conducted research in collaboration with Barclaycard and
Visa, finding that fines imposed by acquiring banks was one of the
principal factors driving small merchants to tighten up their
compliance.
“For acquirers, non-compliance fines cannot be
seen as a new line of business,” he said. “However, it is
undoubtedly a good way of getting merchants’ attention.
“The fines should go hand in hand with support
and training aimed at achieving PCI DSS compliance.
“The good acquiring banks recognise the value
of having successful merchants, and they value the good reputation
that comes with a good record of compliance.
US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“In the UK, Barclaycard Merchant Services has
really championed the benefits of compliance. However, the risk is
with the smaller players,” he said.
“Overall Europe is still lagging behind the
US. But PCI DSS compliance will be written into EU data protection
regulations within the next three years, so it certainly won’t go
away,” he said.
In a deal aimed at helping smaller merchants,
as well as large retailers tighten up their compliance procedures,
VigiTrust is partnering with the consulting division of telecoms
giant Verizon to expand its consultancy and training offering to
include Qualified Security Assessor (QSA) services.
“PCI DSS compliance is not about running a
project and meeting one set of targets,” said Rodolphe Simonetti,
Director of Governance, Risk, Compliance Consulting Services for
EMEA at Verizon Business. “Rather it must be considered an ongoing
process.”
Gorge agreed, saying: “Many larger retailers
have projects in place, but still face challenges when it comes to
continuing compliance – they addressing issues between assessments
is key.
