Bull's-eye on small-merchant PCI

Payment Card Industry (PCI) Data Security Standard (DSS) compliance solutions specialist ControlScan Inc. was founded in 2005 by a small e-commerce business in need of a solution to secure its Web site. After researching available offerings, the company concluded no niche was dedicated specifically to helping small and mid-sized e-commerce merchants secure their businesses. ControlScan decided to fill the need.

In late 2007, ControlScan brought a new management team onboard to expand the company's scope. Joan Herbig, ControlScan's Chief Executive Officer, saw an opportunity to parlay the work the company had done with e-commerce merchants directly. Subsequently, ControlScan shifted its strategy and began partnering with ISOs, banks and merchant acquirers to roll out PCI programs targeted to their small merchant portfolios.

"Up to that point we only sold directly to e-commerce merchants in the PCI space," Herbig said. "So we started targeting acquirers, ISOs and banks to help them manage their portfolios of small merchants through the PCI compliance process. These organizations have anywhere from a couple hundred merchants to tens of thousands for whom they are processing or providing services.

"Most of our ISOs and banks have a combination of e-commerce, brick and mortar and MO/TO merchants - and we certainly have a solution that will work across all merchant types. And I know one of the things that differentiates ControlScan is that from the very beginning we have had an exclusive focus on the Level 4 merchant. We wake up every day thinking about our small merchants, how they go about their business and how that relates to PCI."

Offering rich solutions to all

PCI questionnaires can range from 11 questions to over 200. To help small merchants achieve PCI compliance as simply as possible, ControlScan provides:

• A Web-based portal to complete the appropriate PCI Self Assessment Questionnaire (SAQ), vulnerability scanning (as needed), security policy building and security awareness training

• A picture-driven qualification process that guides merchants to the correct version of the SAQ frequently asked questions form, and provides real-life examples and tutorial videos to help merchants through the PCI process

• Support via phone, e-mail and online chat

To help ISOs and acquirers launch and track a successful PCI compliance program with their small merchants, ControlScan provides:

• Its PCI dashboard for easy, real-time tracking of a portfolio's progress toward PCI compliance

• Transparency into merchant communication activity such as outbound calling and mailings

• Card brand reporting with a click of a button

• PCI and product training for the ISOs' externally-facing employees to ensure consistency of message

• A resource library with educational information for merchants

• A customized merchant communications plan for program launch and PCI recertification

• Comprehensive merchant outreach programs (targeted outbound calling, e-mail and direct mail campaigns) that yield high compliance rates

Providing personal attention

According to Herbig, all of ControlScan's offerings are tailored to help merchants become compliant. The biggest challenge, however, is getting these small merchants to take action.

"We offer Web solutions that are quite rich in terms of what we can do to make compliance as easy as possible, but more importantly we offer them access to human beings as they move through the process and help them answer any question or address any concern," Herbig said.

"We help them interpret the results and work with them to remediate any vulnerabilities that are discovered. And what our bank and ISO partners like about our program is its full-service nature.

"We can help them design programs that are tailored to the way they deal with their merchant communities. It's not about providing some generic solution. We offer a program that starts with outreach to the merchant and continues all the way through the process of completing compliance. Remember also that they have to go through the process every year, so it's another process entirely to re-engage that merchant each year - and we help with that as well."

ControlScan believes it distinguishes itself by providing service on a more personal level.

"Consulting with our partners from the very beginning of a relationship gives us a sense of the tone that our ISOs, banks and acquirers take with their merchants and how they approach them, so that as we engage with their merchants we become a natural extension of their team," said Heather Varian Foster, Vice President of Marketing.

"We work diligently to educate the merchants and provide whatever services or products needed to help them understand the value of PCI and how it will help protect their businesses."

Tending to every partner

For Omaha, Neb.-based payment solutions provider American Payment Systems, it was this attention to the human element that enticed the company to partner with ControlScan in April 2009.

"In a nutshell it was their attentiveness to me," said Steve Cartwright, Chief Financial Officer of APS.

"They paid attention to me where other PCI partners didn't. We're not a huge ISO, so our goal is to make our smaller merchants feel like they matter to us. Simply put, I felt like I mattered to ControlScan. They understand what it's like to work with these merchants, and they were able to mimic our business model and be a lot like us in that regard."

Cartwright added that whenever he has questions about PCI or the program, ControlScan will get the right people on the phone and give him the information he needs. "They were and are so responsive and attentive," he said. "ControlScan's outbound calling approach made all the difference in the world. No other way would be as effective. Now I can refer my merchants over to true PCI experts because there is no way my small customer service team would be able to do this."

Taking all of the burden

In the first two months of its partnership with ControlScan, APS' compliance rate increased 30 percent overall; after the first six months, compliance rates had reached nearly 50 percent.

According to David Abouchar, ControlScan's Senior Director of Product Management and Development, outsourcing is an attractive proposition for banks and ISOs because it helps offload the burden of managing a PCI compliance process.

"Many don't realize all the intricacies involved in and the overhead required to managing an effective program," Abouchar said. "This includes having the right people, processes and technology. And we define 'effective' as a program that yields high compliance rates and merchant satisfaction, while allowing our partners to focus on their core business.

"Additionally, we pride ourselves in being that trusted ally for all our partners' merchants because they don't know, by and large, where to turn. They typically don't have an IT person on site, and they're looking for direction. We empathize with that, so we're there to give them whatever information they need to address any PCI issue."

Sandy Jackson, Client Implementation/Special Projects Manager at payment and compliance solutions provider CardWare International, said it was that sense of empathy and the degree of personal service provided that made ControlScan attractive as a partner.

"Many of our merchants were unclear and overwhelmed by PCI, so we needed a program that was user-friendly and easy to understand," Jackson said. "A majority of our business referrals to ControlScan have come directly from our financial institutions that are seeking a provider to eliminate the hassles for them, to handle PCI compliance internally and provide a robust reporting package that allows them to track the status of their merchant portfolio.

"Additionally, ControlScan has been a major contributor and participant in our annual Peer Group Meeting. Each year we invite a select group of clients and vendors together, and ControlScan always provides a presentation to one of the most frequently requested topics of discussion. We greatly appreciate their participation in this event, and we value their partnership with us."

Rolling out an automated alternative

Abouchar noted that, as an extension to PCI compliance and to better assist its partners underwriting processes, ControlScan is formally launching a new risk management product called WordScan.

It is designed specifically to automate e-commerce merchant underwriting and eliminate the manual process that many ISOs, banks and acquirers still use today.

"When our partners have to underwrite e-commerce merchants, there are certain words that must be contained with[in] the site before the account can be approved," he said.

"In addition, card brands have requirements around monitoring customer Web sites for prohibited or problematic words and ensuring merchants are selling what they indicated on their applications. WordScan is a cost-effective solution that helps ISOs, banks and acquirers meet these requirements," Abouchar added.

Abouchar said that to help merchants as they travel the path of compliance, ControlScan will take any measure necessary to make a merchant comfortable with PCI.

"We'll take whatever time needed to slug it out with a merchant, even if we have to hold their hand through all 226 questions of the PCI DSS," he noted. "And while PCI does not equal security, it is - especially for small merchants - a great foundation and guideline from which to build their own security policies.

"Everything we do at ControlScan revolves around communication and engaging the merchant so they really get something out of it. It seems like a simple thing that everyone could emulate, but it is hard to scale. That is an element that is critical to us, and we've managed to execute it successfully."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.