By Joan Herbig
Since the Oct. 1, 2008, deadline requiring all newly boarded merchants to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant or to use Payment Application (PA) DSS-compliant applications, hundreds of processors, banks and ISOs have launched PCI compliance programs for their level 4 merchant portfolios. (The PA DSS was formerly known as PA Best Practices [PABP]).
While this is a great start, a huge uphill battle remains. By most estimates, fewer than 10 percent of the level 4 merchant population has attested to compliance with the PCI DSS.
This represents an ongoing challenge for acquirers, who bear the ultimate risk for noncompliance. In fact, according to an Aite Group LLC report, 43 percent of acquiring executives rate security and PCI compliance as the top challenge for their sector.
The key to moving the needle on this statistic is for acquirers and ISOs to develop comprehensive and highly targeted merchant outreach programs.
Since most small merchants still don't understand or know about PCI compliance and how it impacts their businesses, it is critical to launch broad awareness and engagement campaigns at the beginning of a program. These campaigns help educate and prepare merchants for the compliance process.
If you are charging a fee for your PCI compliance program, education on the front-end is even more vital. Surprising merchants with a compliance fee before they have had a chance to understand the importance and value of compliance can negatively impact the program and your relationships with your merchants.
Because it is not well understood, PCI compliance is not a priority for most small merchants, so successful programs should begin with a series of touch points to engage merchants. Your campaign strategy should include:
The 90-day plan shouldn't be focused on merchants alone; also devise training plans and support materials for merchant-facing employees, such as customer service reps, sales agents and so forth. Regardless of whether you run the compliance program yourself or outsource it, many merchants will call your company to find out if the program is legitimate or to ask for clarification.
Be prepared to answer basic questions about PCI compliance and to handle common objections. And keep in mind that, if your team isn't aligned on the program and the messaging, you will confuse and frustrate your merchants.
If you follow a similar comprehensive communication plan to the one just described you will typically see an initial burst in your portfolio's compliance rates during the first 90 days of the program; then the compliance rates will begin to slow down. So, how do you maintain the momentum?
Once you complete the launch phase of your PCI compliance program, the next step is to analyze the results and identify key segments of your merchant portfolio to which you should target additional outreach.
The campaigns may be a mix of three target categories based on compliance milestones, merchant classification code and self assessment questionnaire (SAQ) type.
Unfortunately there is not a one-size-fits-all approach to targeting at this point. The results of your initial campaign efforts will dictate the best targeting methods for your portfolio.
Creating campaigns targeted to merchants based on their progress, or lack thereof, during the PCI compliance process creates an opportunity to provide tips to accelerate merchants' compliance efforts. Examples of such targeting include:
While more directive, the message targeted to this group of merchants should include instructional language, focusing on the basic steps merchants must take to complete the process, which will make compliance feel less daunting.
In many cases these merchants are hung up on a specific area of the SAQ or working toward remediation for noncompliance with a PCI DSS requirement. By calling merchants you have the opportunity to guide them through any issues encountered and help them complete the attestation process.
For example, an e-commerce merchant could be very familiar with security and the need for Web site scans, but not be very aware of his or her PCI obligations.
Contrast this to a nail salon that may not even have a computer and has no understanding of the basic tenets of security. Think about the distinct characteristics of segments within your merchant portfolio so your communications resonate with the targeted audience.
Your small-merchant portfolio may also consist of a high percentage of a particular merchant classification. This is an opportunity for you to create a targeted campaign that speaks specifically to merchants within this group or keeps their unique circumstances in mind.
For example, if you have a significant population of restaurants in your portfolio, you don't want to launch a calling campaign during their peak serving hours. You can also leverage industry statistics and trends to help specific merchant groups understand where they are most vulnerable or use the information to target the highest risk groups in your portfolios.
Set the expectation in advance that if these merchants haven't changed their credit card data handling dramatically, they should be able to leverage their previous SAQ responses to expedite the process.
Following are suggestions for targeting campaigns based on SAQ type:
They are both part of the PCI DSS, and providing them takes a burden off of your merchants' shoulders, thereby reinforcing the service aspect to your PCI program.
Require documentation that validates that these merchants completed their scans, and if they haven't, recommend or refer a scanning vendor so the merchant can complete the PCI compliance process at the point of initial engagement.
PCI provides a security "compass" to level 4 merchants for whom security is generally not a priority. As such, it ensures that merchants are implementing the basic systems, processes and policies needed to protect cardholder data on an ongoing basis. Regular, targeted communications can keep PCI compliance a priority so that, instead of becoming an annual ordeal for your merchants, it becomes an everyday part of doing business.
Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at firstname.lastname@example.org or 800-825-3301.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next