Press Releases

Results Released from First Industry Survey of Acquirers: Benchmarking Level 4 Merchant PCI Compliance – The Acquirer's Perspective

ATLANTA, GA and LOS ANGELES, CA, Jan. 9, 2012 — Despite the payments industry's frustration with a perceived lack of progress with Payment Card Industry (PCI) compliance adoption among small merchants, a recent survey finds a growing number of acquirers see value in having a PCI program to reduce data breaches and overall portfolio risk with success coming to those who actively engage their merchants in PCI education and support.

This conclusion is just one of the major findings from a survey, Benchmarking Level 4 Merchant PCI Compliance – The Acquirer's Perspective, of more than 146 banks, processors and Independent Sales Organizations (ISOs) serving Level 4 merchants conducted by ControlScan and Merchant Acquirer's Committee (MAC) ( Ninety-four percent of acquirers have a PCI program in place for their Level 4 merchants with 57 percent saying their merchants see value in their PCI program. More importantly, 70 percent of acquirer respondents believe their PCI program reduces small merchant data breaches.

"Over the last three years, ControlScan has extensively studied the viewpoints of small merchants regarding PCI compliance," said Joan Herbig, CEO of ControlScan. "For the first time, we are benchmarking the experiences of acquirers in helping small merchants comply with the PCI DSS. While recent research has broached this topic, it has been from the standpoint of larger merchants, Level 1 and 2, and has had little applicability to the challenges faced by smaller Level 4 merchants. This study shines a light specifically on this segment."

According to the survey, 61 percent of PCI programs have been in place for two years or less, so the duration of programs is still maturing based on the fact that the PCI DSS was initially developed and released seven years ago. Overall, one-third of respondents said at least one of their merchants experienced a data breach during the last 12 months. Study responses show, however, that as the Level 4 merchant compliance rate increases, the occurrence of a data breach decreases.

"The benchmarking study suggests that acquirers have a positive outlook on PCI compliance, a stance MAC wholeheartedly supports in its communications and education curriculum for members," said Susan Matt, CFO of MAC and CEO and founder of ThoughtKey, Inc. "The study also links certain key attributes of acquirers with high PCI compliance rates – a correlation we simply speculated earlier, but can now stress as best practices to the industry."

Key attributes of acquirers with high PCI compliance rates, include, but are not limited to, monitoring their PCI programs frequently, offering a suite of tools to help merchants achieve compliance and outsourcing some or all of their PCI program to a third-party (81 percent of respondents outsource). Fewer acquirers with high PCI compliance rates also had merchants that experienced a data breach in the last 12 months.

"Some of the most common questions we receive from acquirers, as a PCI compliance and security solutions provider, revolve around whether or not their peers charge PCI program and non-compliance fees," continued Herbig. "Since the study directly addresses these topics, we can now speak definitively to standard practices by acquirers serving Level 4 merchants."

To access a copy of the detailed study findings, please click on the following link:

About the Survey
The survey was completed in October 2011 by 146 banks, processors and ISOs with Level 4 merchant portfolios ranging from less than 1,000 accounts to more than 50,000.

About ControlScan
Headquartered in Atlanta, ControlScan delivers unified security and compliance solutions that help small and mid-sized businesses secure sensitive data and comply with information security and privacy standards. We support business owners, franchisees and merchant service providers with technology, services and expertise for PCI DSS, HIPAA and EI3PA compliance; vulnerability detection and risk mitigation; POS, e-commerce and mobile security; and more. For more information, please visit or call 1-800-825-3301.

About Merchant Acquirer's Committee:
MAC is dedicated to providing banks, ISOs and card associations with universal risk management solutions through ongoing communication and cooperation among its membership. For more information on MAC's 2012 Conference and sponsors, visit