ETA’s Transaction Trends publication recently featured an article by Darrel Anderson entitled Why PCI Compliance Isn’t Working. In it, he describes one of the problems that we’ve been exploring here over the last month or so—incentive structures for PCI DSS. At the ETA Strategic Leadership Forum, the CEO of a prominent payments company echoed this sentiment by suggesting that his peers in the industry should be invested in taking the bite out of processing payments. Darrel touches on this in his article when he discusses the complexity of PCI DSS and how merchants struggle with it. His first carrot is to make this process easy.
But we shouldn’t be focusing on making PCI easier, we should be focusing on making the complex process of PCI compliance largely irrelevant for merchants. Darrel’s proposed changes would make a difference, but it still leaves the merchant dealing with the complexities of PCI DSS when there are options to avoid this.
The right shift to the incentive structure would be to build incentives that remove the need for knowledge of payment systems and the complexities of PCI DSS. Merchants should not be burdened with dealing with payment information, and instead should be incentivized to use terminals and systems that keep them safe. Safety comes from two things: 1) current technology that is well maintained and secured, and 2) the providers of those systems taking some of the responsibility in the case of a breach.
Merchants who demand these types of solutions will end up solving the problems around PCI quite elegantly, while causing broader change in how payments are handled, in general.