Press Release

Survey: Acquirers Divided on How PCI Compliance Impacts Merchant Retention

Latest survey by ControlScan and MAC highlights struggle to balance “authentic compliance” and merchant convenience                                                                       

ATLANTA, Mar. 22, 2017 - ControlScan, a trusted security and compliance program partner to the payments industry, in partnership with Merchant Acquirers’ Committee (MAC), has released key findings from the 2017 Acquirer PCI and Security Survey. Completed by more than 130 ISOs, acquirers, processors and payment facilitators, the survey’s results support an ongoing effort to understand and share PCI compliance program practices among payments industry stakeholders.

One of the survey’s key findings was that while merchant service providers agree their merchants’ PCI compliance is important, merchant retention concerns are creating a struggle between promoting convenience and enforcing compliance.

One-quarter (25%) of survey respondents said their PCI compliance approach has caused attrition among their merchants. By contrast, 22% credited their approach with helping them retain more merchants. These numbers are significant, because they show that nearly half of respondents believe their compliance approach impacts overall merchant satisfaction.

A survey respondent commented: “Competition can steal away merchants if they make their PCI compliance methods seem easier or cheaper to comply with.”

“Easing their merchants’ PCI compliance pain is certainly to the acquirer’s competitive advantage, but for risk reasons, it’s important to actually get the merchants compliant,” said Chris Bucolo, Director of Market Strategy, ControlScan. “Acquirers who become a trusted advisor to the merchant will be more knowledgeable, consultative and communicative, and that will strengthen merchant retention.”

The survey found that a strong majority (75%) of respondents did see their portfolio compliance rate increase in 2016. Of those, 47% felt it was because they had increased the amount of merchant education surrounding compliance.

According to Bucolo, these and other survey findings indicate that acquirers are taking a deeper look at how adjustments to PCI compliance program variables can maintain simplicity for the merchant and at the same time, lead to “authentic compliance.” ControlScan defines authentic compliance as “an ongoing state of security awareness, demonstrated by a merchant who understands and continuously employs the fundamental technologies and processes required to protect sensitive data.”

“I think it is possible to achieve authentic compliance without overwhelming the merchant,” said Kate Root, Senior Vice President, Chesapeake Payment Systems, a division of Chesapeake Bank. “Education and communication make all the difference."  

“Authentic compliance means the merchant has actually learned something versus simply checking the boxes,” said Bucolo.

Additional results and insights from the 2017 Acquirer PCI and Security Survey were discussed in a recent MAC webinar. The webinar replay is now available online by clicking here.

“MAC is pleased to continue to partner with ControlScan on the annual Acquirer Study in an effort to educate our members and the payments ecosystem on the importance of PCI compliance,” said Vadeene Sisk, Board Secretary, Merchant Acquirers’ Committee.

For more information on ControlScan, please visit or call 800-825-3301. For more information on MAC, visit


About the Survey

The ControlScan/MAC 2017 Acquirer PCI and Security Survey was completed between December 15, 2016 and January 26, 2017 by 133 acquirers, processors, ISOs and payment facilitators with Level three and four (small- to mid-sized merchant) portfolios ranging from less than 1,000 accounts to more than 50,000.

About ControlScan                                                  

ControlScan is the Managed Security Service Provider with a difference: We take a proactive approach to protecting businesses from cyber threats while helping ensure their compliance with security and privacy standards like PCI DSS and HIPAA/HITECH. Our unified security and compliance solutions deliver confidence to millions of businesses as well as the IT professionals who serve them. Merchant service providers and web hosting companies also partner with us to reduce cybercrime-related business risk. Headquartered in Atlanta, ControlScan is venture backed and supported by a worldwide base of customers, partners and strategic alliances. For more information about our company and solutions, please visit or call 800-825-3301, ext. 2.

About Merchant Acquirers’ Committee (MAC)

MAC is an organization of bankcard professionals involved in the risk management side of Card Processing. We have members from banks, ISOs, card associations and others related to the risk management side of the industry. MAC’s mission is to strengthen the payment ecosystem through ongoing education, communication and cooperation among acquirers, card brands and enforcement agencies. For more information, visit