NEW YORK ( TheStreet) -- As the list of retail breaches expands, the discussion around payment security simultaneously grows louder. Maybe the move to more secure credit cards will help, or it's all about tokenization and encryption. But in this battle against hackers, the question might actually be: Just who is on our side?
At a Verizon (VZ) event on Monday night, three panelists discussed a new Verizon report on Payment Card Industry (PCI) compliance and the outlook on security in the industry. Each panelist had suggestions for ways that retailers can invest more in security, and each had opinions to share on the efficacy of PCI compliance, but what was most interesting was one panelist's sense of frustration with the credit card payment companies-- Visa (V) MasterCard (MA) , and American Express (AXP) .
Greg Buzek, a retail technology analyst and founder and president of IHL Group, shared his grievances with the way payment card companies tend to control the retail landscape.
For starters, Buzek finds that PCI compliance (which is a standard for security that vouches for a retailer's security payments infrastructure) itself to be an unreasonable mandate from the credit card companies. Just the event itself of complying with PCI can cost about 38% of a company's security budget, and when you talk about maintaining compliance it moves up to around 50-60%.
The average supermarket that makes 0.8 cents on a dollar may not prioritize the process over supply chain needs, Buzek explained.
"[PCI's] a self-serving process, invented by the cardmembers, under the guise that this is going to protect consumers," he said. "And it was ramrodded and forced down, so everybody resents it. The retailers resent it, the vendors resent it, everybody resents it. It's like cleaning your garage--nobody looks forward to cleaning their garage, it's something that has to be done. You've got to do it, but nobody looks forward to doing it."
And when Buzek approaches card companies offering to partner with vendors or retailers and figure out better solutions, they're never interested.
The same goes for EMV (which stands for Europay, MasterCard, Visa), which will allow businesses to accept new credit cards with chips inside them, making them harder to clone than the traditional magnetic-stripe credit cards. Retailers will be mandated to deploy chip and signature technology along with EMV.
Why signature over pin?
According to Buzek, only one network processes signatures, and it happens to be more expensive, compared to pins, retailers would have a choice between a number of less expensive networks. The card companies end up with more money in their pockets.
All of this simply builds resentment among retailers, who view card companies as the enemy -- they resent the mandates and regulations. So while in theory, retailers and card companies should be working together to create a more secure payment landscape for consumers, they end up knocking heads.
"I'm friends with all the card brands, but it seems like it's red tape to doing what we all spend our day trying to do, which is serve customers and make money in the process of doing that, and it feels self-serving in the way its mandated sometimes," Buzek said. "I see guys like Mercury Payments that have incredible programs that get retailers to where they want to go. I don't see that from Visa, MasterCard, and American Express, at the top line. I see it's just 'Gimme gimme gimme.' And that's the part that's frustrating for me as an analyst because I want to see an efficient retail enterprise where retailers can make a profit and they're not being forced one way or another. It just seems un-American."
--Written by Rebecca Borison in New York
>Contact by Email.