The wrong answers to the latter question can cost ISOs time and money - and leave their merchants frustrated and looking for change. The right answers will lead to an approach that will enable ISOs and others on the payment chain to avoid unnecessary cost and inconvenience, while minimizing the risks to ISO portfolios.
Here are seven steps that can help you build a practical, effective and economically sound PCI program for you and your merchant customers.
#h4 Step one: Realize your merchants need assistance, not just audits
It is not enough to simply push the PCI burden onto merchants in your portfolio: Small merchants face genuine, significant obstacles to PCI success. Unless their ISOs figure out ways to lower these barriers, attempts to address PCI issues will produce little more than frustration and dissatisfaction all around.
This is already happening in the market, and an increasing number of merchants are rebelling against poorly designed and poorly implemented PCI programs.
A common ingredient in these unsuccessful programs is a failure to recognize that, unlike larger merchants, small merchants cannot call on internal resources to achieve PCI compliance, nor can they afford to hire consultants.
These merchants need someone to provide expertise and actively hold their hands through the PCI process. Without that, any program will just frustrate your merchants.
#h4 Step two: Keep moving forward
A successful PCI program needs to become a part of a merchant's daily business, not an event or project that has a finish date. Security experts have a saying that "security is a process," and the same is true for PCI compliance. Create an ongoing program with continual engagement, or partner with a security company that can provide that on your behalf.
#h4 Step Three: Create a structured program
While it's true security is a never-ending process, that absolutely doesn't mean progress is an illusion. Make sure progress is visible to your merchants: Nothing discourages people more than the sense that they are on a treadmill and will never get anywhere despite all their efforts.
Give your program a clear structure, and communicate that structure to your merchants. Provide them a clear sense of progress they have made so far with PCI compliance, their current status, where they are going next and what milestones they need to pass along the way.
The formal PCI-compliance process has recently started to move in this direction (a good move), but you should not wait for a mandate or decree before doing the smart thing.
#h4 Step four: Make it active, not passive
The PCI DSS is not just about putting merchants through an assessment; it's about fixing the problems discovered (what security professionals call 'remediation').
However, the passive assessment phase is the easiest part of the process, and far too many vendors are doing only that part: taking their partners and customers a half-mile down the road and then abandoning them. Make sure your PCI program can actively give merchants the solutions they need to fix their problems.
#h4 Step Five: Support them, but be smart about it
Understanding PCI is tough for small merchants, and a support program is going to be a necessity. However, a na‹ve program (Here's the self-assessment questionnaire. Call me if you get stuck) will generate a massive support load and drain your finances and your time.
Structure your program to minimize the support load by getting things right upfront. This relates to the first point: If you give your merchants the assistance they really need, you will go a long way toward limiting support calls that might otherwise swamp you.
In the payments industry today we are seeing a number of simplistic PCI programs turn into lose-lose situations simply because merchants are not being helped enough (making them frustrated and dissatisfied) which leads to a tidal wave of support demands and costs (making the program costly and time-consuming for the ISO or processor).
#h4 Step six: Learn from your PCI program
Bringing a portfolio of merchants into PCI compliance can be tough on ISOs as well as their merchants, but it is a chance to learn more about your portfolio and build loyalty and value in those relationships (making them stickier).
That won't happen by itself, but if you put the right program in place, with the right reporting framework and business intelligence, you can come out of the process as a more knowledgeable, better positioned service provider. You'll also be able to do a much better job of discerning what to do next, because you'll know what is working and what isn't, and where the current weaknesses are.
One important point here is that you can't learn from the process if you don't set it up correctly from day one. If you just send out self-assessment questionnaires to your merchants (or just put the forms up on the Web), you won't gather useful information, and you'll have nothing to fuel your learning process later on. But if you have the right technology (or the right technology partner) you can painlessly gather the right information right from the start and use it to make yourself, and your merchants, smarter.
#h4 Step seven: Make it revenue-positive
A PCI program does not have to cost you money: If done correctly, it can be an additional revenue stream for you. Of course it is critical that you don't gouge your merchants with unreasonable charges, but the right solution can give merchants the program they need at low cost, making it possible to simultaneously charge them an acceptably low monthly fee and make a reasonable profit.
The key is to find a solution that is extremely efficient, low-cost and scalable to large numbers of merchants. One good development here is that the industry is already moving in the direction of charging mandatory monthly PCI fees, so ISOs and processors need not fear that they will be at a competitive disadvantage by doing this, so long as they carefully control the price.
PCI compliance is still a new world for most ISOs. Many are struggling with the question of how, where and when to put a program in place. If you do it right, you can put together a program that:
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.