At the turn of the 19th century in Russia, revolutionaries were stirring the pot and advocating the overthrow of the Tsarist regime.  Often, propagandists would travel to the rural areas of Russia and attempt to stir up the peasantry by regaling them with a long list of evils perpetrated by the Tsar and his men.  The revolutionaries could not seem to understand that their passionate pleas to rise up against the oppressive regime were most often met with a shrug of the shoulders and perhaps a pitying shake of the head.  The response from the peasants was very often, “God is in His Heaven and the Tsar is far away.”  In other words, bring me something relevant.  Why should I care that the Tsar has created some policy that impacts urbanites and pretend intellectuals in Moscow when I have crops to harvest and mouths to feed?  Unless the Tsar or God is going to come here directly and force me to do it, why should I?  It wasn’t until Tsarist policies began to impact agriculture and the subsistence of the Russian peasantry that revolutionary zeal was seen in the outlying regions.  In short, it wasn’t until the Tsar actually was in their neighborhood that the peasants decided to act.

What does the Russian revolution have to teach us about payment security?  Very simply, that the sentiment of the Russian peasantry is roughly equivalent to the attitude of many Level 4 Merchants, and with good reason.  The Level 4 Merchant is often a very small business, trying very hard to maintain their margins in an economy that is increasingly difficult.  When confronted with a standard that contains more than 220 data security requirements and they are told that they must comply, they often simply shake their heads.  “God is in His Heaven and the Tsar is far away.”  In more contemporary language:  “The card brands are on the coasts and my acquirer is in New York.” 

In essence, the industry has presented to small merchants a problem without a solution. The Level 4 merchant may or may not be required to validate their compliance, depending upon the needs of their acquirer.  If they are not required to validate compliance – well, then the Tsar is far away, indeed.  There is little or no enforcement until an event occurs that brings the merchant to the attention of the acquirer or the card brands.  On the other hand, how can an acquirer with a portfolio of thousands (or tens or hundreds of thousands) of merchants realistically manage their compliance?  All the revolutionary fervor in the world cannot convince a small business person to spend hard-won margin on security measures that bring an intangible benefit.

In the vein of the Russian peasantry in the late 1800s, let’s bring them something that is relevant.  Help the Level 4 Merchant cultivate an environment that is secure and does not take money out of their cash registers.  Payment security is due a revolution.  The industry has seen some initial forays into real innovation that can affect security for everyone, but in looking at these solutions we must remember that enterprise level companies are not the only constituents in the industry.   The Level 4 Merchant is, in fact, an extremely important demographic in the industry and to overlook their concerns with respect to data security and operational viability would be short-sighted.

Heather Mark, PhD; SVP Market Strategy  SFVVEWUY77NY