Press Release

Report: ISOs and Acquirers Not Offering Security Risk-Reducing Technologies and Services Desired by Small Merchants

ControlScan-sponsored survey results reveal momentum in small merchant PCI compliance, but also show that more work needs to be done to reduce the number of breach incidents

ATLANTA, Feb. 3, 2014 - Payment security and compliance service provider ControlScan today announced a newly-released survey report that highlights findings from its third annual survey of merchant acquirers. "Building Momentum: The Third Annual Survey of the Acquirer's Perspective on Level 4 Merchant PCI Compliance" was produced in partnership with Merchant Acquirers' Committee (MAC) and reveals important areas in which ISOs, acquirers and other merchant service providers (MSPs) are missing opportunities to help merchants close payment security gaps.

According to the ControlScan/MAC report, just 44 percent of survey respondents' organizations currently offer risk-reducing tools or services—beyond access to the PCI-required Self Assessment Questionnaire (SAQ) and external vulnerability scanning—to help merchants meet specific payment card industry requirements. Of the MSPs currently offering additional value-added merchant solutions, tokenization and point-to-point encryption are the most common. 

"Today's threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, vice president of marketing, ControlScan. "Small merchants in particular need guidance in terms of readily-available technologies and services that reduce PCI scope and support a strong security posture."

Other key findings from this year's ControlScan/MAC survey show that MSPs are building momentum in small-merchant PCI compliance validation, but that more work needs to be done. For example, more acquirer survey respondents are reporting portfolio compliance rates above 40 percent; however, there has also been a 23 percent increase in the number of merchant breach incidents since 2012.

"The latest acquirer survey reveals great opportunities for MSPs, including the ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," said Susan Matt, CEO of payments consulting firm ThoughtKey, Inc., and longtime MAC committee member. "MSPs who seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention."

The free survey report includes specific recommendations to help acquirers successfully engage their Level 4 merchants in the PCI compliance process. To access a copy of the survey report, please click on the following link: An infographic highlighting key data points is also available at

About the Survey
The ControlScan/MAC Third Annual Acquirers Survey was completed between October 20 and November 20, 2013 by 139 banks, processors and ISOs with Level 4 merchant portfolios ranging from less than 1,000 accounts to more than 50,000.

About ControlScan
Headquartered in Atlanta, ControlScan delivers unified security and compliance solutions that help small and mid-sized businesses secure sensitive data and comply with information security and privacy standards. We support business owners, franchisees and merchant service providers with technology, services and expertise for PCI DSS, HIPAA and EI3PA compliance; vulnerability detection and risk mitigation; POS, e-commerce and mobile security; and more. For more information, please visit or call 1-800-825-3301.

About Merchant Acquirers' Committee (MAC)
MAC is dedicated to providing banks, ISOs and card associations with universal risk management solutions through ongoing communication and cooperation among its membership. For more information on MAC's 2013 Conference and sponsors, visit