Suitability: Down at the level of individual merchants, does the program give them the sort of help that is right for them? Large, sophisticated merchants need one sort of program, but smaller merchants with fewer resources need a program built around simpler, cheaper features. Confusing the two will invariably lead to merchant dissatisfaction and an unsuccessful program.
If you have a small portfolio of high-value merchants, think about partnering with a qualified security assessor (QSA) who can give your merchants plenty of detailed, one-on-one help, albeit at high cost per merchant.
If you have thousands of smaller merchants in your portfolio, look for a solution that is low cost but able to deal with larger numbers. The vendors and partners you need in this situation are those with a business model built around making a few dollars from many merchants, rather than a lot of money from a few merchants.
Solve your merchants' real problems
It is critical that your program solve the real problems your merchants are facing, not "fake" problems. That sounds obvious, but you'd be surprised: There are vendors out there whose claim to fame is that they've put a copy of the PCI Self-Assessment Questionnaires up on the Web for your merchants to access.
That would be great if the core problem with PCI was that all your merchants happen to be allergic to paper, but in reality the problem is that your merchants don't know what the words mean: They don't know enough about security to understand questions about firewalls and network topologies, encryption, or formal security policies.
It really doesn't matter whether they're reading these confusing words on paper or computer screen.
The fundamental shortage in PCI-land is expertise in security and compliance. Your merchants don't have any, so your program needs to hold their hand through the entire extended process, explaining technical terms to them, telling them how PCI works, what it all means, and which specific issues apply to them and which do not.
The new SAQs are an improvement over the old, but we have already seen plenty of real-world evidence from our ISO partners that the problem hasn't gone away.
This means someone, somewhere, has to be a PCI and security expert and be available to your merchants. A critical part of putting together a PCI program is either finding someone in-house to be that expert or finding a partner company that can fill that role for you. ISOs (or their partners) need to have an entire support program in place, including things like e-mail support.
Give your merchants active assistance
PCI is not just a passive process, and your merchants need to actually do things to either get compliant or to get validated. They will need help with these activities just as much (or more) as they do with the initial assessment phase. If you don't provide that assistance, both you and your merchants will get disappointing results and
Your merchants will need help with at least the following:
- Completion of formal documentation, including the SAQ
- Construction of a personalized remediation plan describing how merchants will fix each of the weaknesses identified in their assessment process
- Access to a range of remediation solutions, including hardware, software and other solutions such as customized security policies and other process-centric solutions
Understand and track what is going on
For everyone, particularly ISOs, PCI is going to be a drawn-out process. A critical part of a long-term, successful PCI program is the ability to look over your portfolio and make assessments. Determine what percentage of your merchants are validated, what percentage are compliant, and for those who are noncompliant, determine which sections of the standard they are failing to meet.
Having that sort of information helps identify and control risks. It also allows you to allocate resources in a cost-effective manner.
ISOs need to either build or get access via a partner to a solution with business analytics and reporting built in. This is going to be a challenging software development task for most ISOs and is another of the many reasons why we, at Panoptic, are seeing a trend toward ISOs resolving their challenges by partnering with PCI specialists rather than building solutions internally.
By taking these issues into account, you can dramatically increase the odds of putting together a PCI program that protects you and your merchants and does so without becoming a burden in terms of time or money. Implementing the right programs for your clientele will help you do what is most important: focus on serving and expanding your merchant portfolio.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599-3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.