Visa Adds New Level 4 PCI Requirement, As The PF Attractiveness Gets A Lot Stronger

In a late holiday gift for PFs everywhere, Visa has upped the requirements for PCI Level 4 (small businesses) merchants. Specifically, as the end of January 2017, those small merchants “must use only Payment Card Industry (PCI)-certified Qualified Integrators and Reseller (QIR) professionals for point-of-sale (POS) application and terminal installation and integration.”

Although few would argue that using trained and approved vendors to do any POS work is not a good idea, merchants are already feeling that the burdens of getting and staying PCI compliant are too high. Given a PF’s willingness to take on all of the PCI aggravation, that offer just got more attractive to Level 4s.

It’s important to note that while all small businesses are Level 4, not all Level 4s are necessarily small businesses. Visa, for example, defines a Level 4 merchant as one “processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants—regardless of acceptance channel—processing up to 1M Visa transactions per year.” Depending on the product’s pricetag (diamond earrings versus a cheeseburger), that million could represent a not-so-tiny merchant, especially given that the transactions are tracked for each transaction through brand, not for all transactions.

Suraj Srinivas, a PCI QSA and the director of consulting for ANX, specializes in Level 4 merchants and he strongly predicts the newly-imposed deadline of one year from now will get extended. Why? Because there are far too few approved QIRs to handle the “gazillion” Level 4 merchants out there, Srinivas said.

Technically, not that sure that gazillion is a real number. As of Dec. 31, 2014, Visa estimated that there are about 5 million Level 4 merchants. Those appear to be the last stats that Visa published. At that time, Visa said that 97 percent of Level 1 merchants were PCI compliant and that 88 percent of Levels are PCI compliant. I really doubt that those are real numbers.

Visa, as it has done for many years, merely listed Level 4 compliance as “moderate,” adding the caveat it always added: “Level 4 compliance is moderate among stand-alone terminal merchants, but lower among merchants using integrated payment applications.”

As of Tuesday night (Jan. 26), the official PCI list of approved QIRs had only 71 names. But that’s better than it was recently, when Srinivas checked and only found seven names.

“That is still way too low. (The list’s) 71 is still a small number. There are thousands of resellers in this market in just the U.S. alone,” Srinivas said. “Where are the largest of the largest companies? The ones you expect to be on this list?” A scan of the list only revealed a handful of names of larger well-known companies.

And there’s more bad news for Level 4 merchants, which becomes good news for PFs. Srinivas said it’s inevitable that those new QIRs will sharply boost their rates, to cover the added QIR costs. “I’m sure there is going to be a cost increase across the board,” he said.

Perhaps, but in the beginning—when the list is still relatively short—those new QIRs will also likely see sharply increased revenue as Level 4s across the country need to use someone on that list.

As a practical matter, whereas some Level 4 merchants will certainly go to those lists, most will be more likely to go to their existing POS provider and to strongly encourage them to get themselves or the list or else the merchant will to go elsewhere for its POS business.

In the memo detailing the new PCI Level 4 requirement, Visa offered a few exceptions to the rule. “Merchants using single-use terminals without Internet connectivity are considered low risk and may be excluded from these requirements. Additionally, if a merchant does not use a third party for POS application or terminal installation, integration or maintenance, the requirement to use a QIR does not apply.”

Am guessing that last exception won’t be too much of an issue, but if local pizza parlors and dry cleaners start writing their own POS app, happiness in the cyberthief community shall boil over.

But a Visa-crafted Q&A offers a strange thought. When Visa chose to ask itself “Why is Visa establishing these requirements now?”—emphasis on “now”—it answered itself this way: “Based on recent forensic investigations, small merchants remain a target of hackers attempting to compromise payment data. Additionally, investigators have identified links between improperly installed POS applications and merchant payment data environment breaches. Specifically, forensic reports note security protocol gaps in remote access services that integrators and resellers use to provide monitoring and software support (e.g., default or shared remote access IDs without two-factor authentication or regular password changes). For merchants, these gaps create a significant risk of payment data compromise through malware exposure.”

The problem is those facts have been known to everyone in payments for at least a decade. It is anything but an explanation for why Visa is suddenly doing this in 2016. By the way, these changes only impact the U.S. and Canada. Visa’s rationale: “Visa is introducing these requirements in the U.S. and Canada because these countries have experienced the largest number of small merchant breach incidents.”

More cynical voices might say that it’s to boost fee revenue for PCI—those certification classes aren’t cheap. A non-participating organization has to drop $395/candidate for the course/exam, an extra $150 if they need to retake the exam and the requalification course is another $350/QIR. (Participating organizations pay less: $250 for the course and $175 for the requalification. They pay the same $150 to retake the exam.)

It may not make a world of difference, but those calls to small merchants now—once you’ve reminded them of the new Visa rules—may find a slightly more receptive audience.