Adding Value to Acquiring Bank Portfolios With Managed PCI Compliance

Gabriel Moynagh, CEO of cybersecurity firm Sysnet, explains how acquirers can replace revenue from PCI DSS penalties for non-compliance with a managed service offering that improves customer relationships and boosts merchant security.

The worldwide Payment Card Industry Data Security Standard (PCI DSS) was set up to help businesses process card payments securely and to reduce fraud. Tight controls are designed to protect the storage, transmission, and processing of cardholder data that businesses handle.

Merchants who fail to comply with the standard are exposed to non-compliance fines and may see their relationship with their acquirer terminated, which leaves them unable to accept card payments.

Acquiring banks are obliged to take a tough stance on PCI DSS compliance. Fraudsters target weak links in the payment chain to steal payment data (card numbers and card security codes) and customers’ personal information – such as names, addresses, phone numbers, email addresses, dates of birth – for the purpose of committing fraud.

If and when a data compromise occurs, fines associated with non-compliance can reach hundreds of thousands of pounds; many non-compliant merchants have ceased trading because the fines could not be accommodated. This is in addition to the significant harm caused by associated reputational damage, so is it any wonder that the PCI Security Standards Council refers to surveys suggesting that 60% of small and medium businesses closed within six months of a payment data breach?

While penalties for PCI DSS non-compliance are on a more modest scale, they are a not-inconsiderable source of revenue for acquirers – although this is not a sustainable long-term revenue stream.

Overcoming barriers to compliance

We know that merchants want to comply with PCI DSS and recognize the value of increasing customer confidence in the security of their transactions. However, merchants face several challenges, most notably:

  1. Time and resources: SMBs understand the importance of cybersecurity but it gets pushed down the list of priorities by the day-to-day tasks necessary to keep the business running.
  2. Technical requirements: The compliance process can be complex and the vast majority of merchants don’t have in-house IT staff with the required technical skills.

Many companies offer security products for SMBs but not the management of those tools. Acquirers using a managed service for PCI DSS compliance can give their merchants access a service that actually costs less than most fines for non-compliance, while boosting all aspects of the business’s security, from firewalls to anti-virus protection. It’s win-win.

SMBs want to be compliant but don’t always know what they need and often feel overwhelmed by the process. This isn’t surprising: merchants want to focus on selling their products and services, knowing that effective security requirements are being delivered for them at a cost they can afford while ensuring compliance with standards that keep their customers secure.

Giving merchants greater choice when it comes to PCI DSS compliance and cybersecurity is an attractive proposition for acquirers. Acquirers, like Elavon, have recently migrated hundreds of thousands of merchants to a managed-service platform enabling their merchant customers to complete their compliance on a self-serve basis or allowing expert agents to manage data security and compliance on their behalf.

Improved customer insight

As well as generating revenue from security tools that enhance their customers’ cybersecurity, acquirers also gain a greater understanding of where the risk lies within their customer base, enabling them to take steps to address that risk.

The industry hasn’t done enough to help small business merchants with their security issues. In the past, security solutions have focused on a portfolio subset such as e-commerce rather than providing a holistic solution.

As a result, many merchants are paying non-compliance fees rather than addressing shortcomings in their security protocols. This is absurd when managed services provide a unique opportunity for acquirers to retain key relationships with merchants while helping them keep customers and build loyalty. It is the shared responsibility of the industry to ensure compliance can be met, affordably and without leaving chinks in the armory of businesses, no matter their size.

To find out more about managing PCI DSS and cybersecurity for smaller merchants and adding value to acquirer-merchant relationships, visit

Read about how we helped Elavon to simplify PCI compliance and deliver improved data security with Sysnet.air, visit