GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Translating tech for profit


Industry Update

UBC hopes to cash in with free program

Canadians' call for regulation rejected

Fire shuts down processor


GS Advisory Board:
Vertical market virtues - Part II

Allied vendors speak

History of payments technology

Selling Prepaid

Prepaid in brief

Incentive card usage reflects difficult economy

End-to-end payroll

Gift card legal perils - Part II


The cards, they are a changin'

Patti Murphy
The Takoma Group

Mobile payments in the mainstream

Tim McWeeney
WAY Systems Inc.

Dude's got my money: What can I do?

Theodore F. Monroe
Attorney at Law


Street SmartsSM:
Unexamined emotion, a pit bull that mangles business

Jon Perry and Vanessa Lang

Understanding chargeback rules

Ken Musante
Moneris Solutions

Seven rules of 'celling'

Dale S. Laszig
DSL Direct LLC

Moving the needle on level 4 merchants

Joan Herbig

Use technology to tighten relationships, expand revenue

Shan Ethridge
TASQ Technology Inc.

Company Profile


New Products

Self-assessment assistance

Network Merchants Inc.

Pocket-sized terminal

Way Systems Inc.


Time for a change?



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 27, 2009  •  Issue 09:07:02

previous next

Moving the needle on level 4 merchants

By Joan Herbig

Since the Oct. 1, 2008, deadline requiring all newly boarded merchants to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant or to use Payment Application (PA) DSS-compliant applications, hundreds of processors, banks and ISOs have launched PCI compliance programs for their level 4 merchant portfolios. (The PA DSS was formerly known as PA Best Practices [PABP]).

While this is a great start, a huge uphill battle remains. By most estimates, fewer than 10 percent of the level 4 merchant population has attested to compliance with the PCI DSS.

This represents an ongoing challenge for acquirers, who bear the ultimate risk for noncompliance. In fact, according to an Aite Group LLC report, 43 percent of acquiring executives rate security and PCI compliance as the top challenge for their sector.

The key to moving the needle on this statistic is for acquirers and ISOs to develop comprehensive and highly targeted merchant outreach programs.

The first 90 days

Since most small merchants still don't understand or know about PCI compliance and how it impacts their businesses, it is critical to launch broad awareness and engagement campaigns at the beginning of a program. These campaigns help educate and prepare merchants for the compliance process.

If you are charging a fee for your PCI compliance program, education on the front-end is even more vital. Surprising merchants with a compliance fee before they have had a chance to understand the importance and value of compliance can negatively impact the program and your relationships with your merchants.

Because it is not well understood, PCI compliance is not a priority for most small merchants, so successful programs should begin with a series of touch points to engage merchants. Your campaign strategy should include:

The 90-day plan shouldn't be focused on merchants alone; also devise training plans and support materials for merchant-facing employees, such as customer service reps, sales agents and so forth. Regardless of whether you run the compliance program yourself or outsource it, many merchants will call your company to find out if the program is legitimate or to ask for clarification.

Be prepared to answer basic questions about PCI compliance and to handle common objections. And keep in mind that, if your team isn't aligned on the program and the messaging, you will confuse and frustrate your merchants.

If you follow a similar comprehensive communication plan to the one just described you will typically see an initial burst in your portfolio's compliance rates during the first 90 days of the program; then the compliance rates will begin to slow down. So, how do you maintain the momentum?

Target messages and campaigns

Once you complete the launch phase of your PCI compliance program, the next step is to analyze the results and identify key segments of your merchant portfolio to which you should target additional outreach.

The campaigns may be a mix of three target categories based on compliance milestones, merchant classification code and self assessment questionnaire (SAQ) type.

Unfortunately there is not a one-size-fits-all approach to targeting at this point. The results of your initial campaign efforts will dictate the best targeting methods for your portfolio.

Creating campaigns targeted to merchants based on their progress, or lack thereof, during the PCI compliance process creates an opportunity to provide tips to accelerate merchants' compliance efforts. Examples of such targeting include:

SAQ type

Following are suggestions for targeting campaigns based on SAQ type:

The right direction

PCI provides a security "compass" to level 4 merchants for whom security is generally not a priority. As such, it ensures that merchants are implementing the basic systems, processes and policies needed to protect cardholder data on an ongoing basis. Regular, targeted communications can keep PCI compliance a priority so that, instead of becoming an annual ordeal for your merchants, it becomes an everyday part of doing business.

Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at or 800-825-3301.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios