Target and Toys R Us posted overall sales declines during the holidays.
(Page 2 of 2)
And there`s more at stake than a fine from an association. "I wouldn`t want to be a merchant issuing a press release saying, `I`m sorry, your data is compromised and here`s an 800 number for you to report any fraudulent transactions,`" Noel says. "It can`t help for you to be in a position where you`ve not protected the most precious asset your customers entrusted you with--their financial information."
Although there are penalties for missing the deadlines, MasterCard and Visa are showing leniency towards non-compliant merchants. That`s because there are often legitimate reasons merchants can`t meet the requirements by compliance dates, for example, a merger or system changes, Maxwell says. "There are always going to be mitigating circumstances, which is why we are actively managing and ensuring that we understand the status on the merchant level," he says. "We can recognize a reasonable effort."
Visa, too, will work directly with merchants in conjunction with the financial institutions that sponsored them into the Visa network, Shaughnessey says.
The progress made in merchant adoption of security standards has left the associations optimistic that database breaches will be fewer and far between. "In the incidents we`ve seen, had the retailers been compliant with PCI or CISP, it`s likely they wouldn`t have been hacked," Shaughnessey says. "So we think there`s a lot of strength and wisdom in the requirements and they`ve been pretty well thought out."
While the data protection programs are moving forward, the cardholder authentication programs of the two associations--Verified by Visa and MasterCard SecureCode--are finding less success.
At MasterCard, merchant participants have increased to more than 50,888 merchants, compared to 9,000 a year ago, Maxwell says. It has 11.3 million cardholders worldwide enrolled in the program. MasterCard has a merchant base of about 23 million and a cardholder base of 679.5 million.
At Visa, 56,000 merchants have enrolled in Verified by Visa as have 4 million cardholders, says Mike Yakel, vice president for risk product development. At merchant sites that support Verified by Visa, 38% of transactions are authenticated, he says.
In spite of those seemingly large numbers, the merchant cardholder bases are only fractions of all cardholders and merchants. In fact, some critics note that the cardholder number may not be accurate in that it represents card accounts automatically enrolled, meaning the cardholder did nothing to enroll and probably doesn`t even know that he`s a participant.
The associations have had a tough time persuading e-merchants to adopt the authentication codes. They argue that consumers worried about fraud would be more likely to shop online if they knew their credit card numbers are protected. And the codes should cut fraud losses due to unauthorized use of account numbers, they say.
But the authentication programs have fallen victim to the chicken-and-the-egg syndrome: card issuers see no need to promote the program to their cardholders because there are too few merchants participating. And merchants see no need to sign up when there are few cardholders using it.
In addition, retailers believe that any step added between the time a customer selects a product and completes the purchase will increase the abandonment rate, an e-merchant`s greatest fear.
"The original problem with Verified by Visa was that because of the work it imposed on the consumer, it was depressing response by as much as 40%," says Tim Litle, chairman of Litle & Co. Litle processes for 150 online merchants.
And while Visa streamlined the process, Litle says the merchants he deals with aren`t demanding Verified by Visa. "We`ve certainly laid out the alternatives to merchants but they`re more worried about depressing response," even if it`s by as little as 1%, he says.
Incentives, such as Visa`s offer of zero liability and a 5-basis-point reduction in the interchange rate for merchants using Verified by Visa, have not overcome those fears, Litle say.
The associations acknowledge that the authentication codes are still a hard sell to merchants. "There are still some retailers who, when they fully understand the value of the chargeback benefits and the interchange, say there`s not sufficient value to deploy the service," Yakel says.
Click Here for the Guide to Payment Security Products and Services