By John Bartholomew
As more ISOs and acquiring banks initiate programs mandating Level 4 merchant compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), they are coming face to face with a harsh reality: It's one thing to establish a PCI compliance policy to help prevent theft of cardholder data. It's quite another to bring your small and mid-sized merchants on board.
Challenges range from overcoming resistance from Level 4 merchants, who typically process fewer than 1 million payment transactions annually, to conveying the technical aspects of PCI compliance to a merchant whose computer know-how stops at booting up.
How can a local grocery store or small online invitation business have the knowledge to fill out the PCI Self-Assessment Questionnaire (SAQ)? For that matter, which of the four SAQs should the merchant complete? How do you convince a merchant to undertake the compliance process? How can you manage PCI compliance for a portfolio of 3,000 merchants, much less 30,000 or 300,000?
These hurdles can be surmounted with the right combination of processes and personnel. Florida-based Sterling Payment Technologies, for example, enrolled 61 percent of the merchants in its portfolio and validated PCI compliance for nearly two-thirds of those enrolled in less than three months after launching its program in September 2009.
Unfortunately, however, many programs are not as successful as Sterling's. The fault lies with a variety of shortcomings in program execution, whether handled in-house or through a third-party PCI vendor. To gain maximum merchant compliance in minimum time, avoid the following common mistakes.
1. Sending just one notification: Getting a response to a PCI appeal on the first try is rare. Merchants are busy, and PCI is not their first priority. To persuade your clients to get with the program, the first rule is repetition.
Plan on a series of communications sent via multiple channels. Start with your typical form of merchant communication - usually a statement enclosure - and then add a mix of PCI-only snail mailings, emails, faxes and phone calls. This is a campaign; once is not enough.
2. Failing to simplify the process: Trying to explain all PCI compliance procedures in one fell swoop will do nothing more than cause a terminal case of merchant paralysis. It's too overwhelming. You have to break it down into bite-sized pieces and simple steps.
Start with a one-page summary instead of a 10-page set of instructions. Provide easy action steps like "Call this number to get started" or "Complete these few questions to start the compliance process." Otherwise, you're setting yourself up for failure.
3. Neglecting to establish deadlines: Many acquirers fall short in engaging merchants in PCI initiatives because they fail to establish a timeline. Even if there is no real consequence for failing to meet a given target date, setting a deadline increases the response rate by imparting a sense of urgency.
It also gives merchants a way to prioritize your request. Without a due date, PCI will likely keep getting shuffled to the bottom of the to-do list.
4. Presenting PCI as a burden rather than a protection: ISOs and acquiring banks frequently forget to emphasize that PCI compliance is in the merchant's best interests, not unlike sprinkler and alarm systems.
Explain that some merchants have been driven out of business after data breaches that resulted in PCI-related fines and that PCI compliance is a safeguard against those penalties. This eliminates a major barrier to securing merchant cooperation.
5. Relying exclusively on an online solution: As helpful and cost-effective as the Internet can be, many if not most small merchants are still going to need live assistance in their PCI efforts.
Smaller retailers typically lack the technical knowledge to complete the SAQ, for example. And some businesses, such as neighborhood dry cleaners, may not use the Internet at all. Merchants need to be able to contact a PCI specialist - preferably by phone - to get their questions answered.
6. Not scoping the merchant accurately: It's not how merchants submit credit card data that determines their PCI requirements but how they handle the data. Where is it stored? Is any card information retained for any length of time? Does the Internet connect to any card handling systems?
If you fail to ask the right questions, your ability to help protect merchants - and yourself - against a data breach by selecting the appropriate SAQ and scanning schedule, as well as recommending security improvements, is severely diminished.
7. Inadequately training your agents: Whether you're running an in-house PCI program or using an outside PCI service, sales staff must be carefully trained about when to offer PCI advice and when to turn the merchant over to your chosen PCI expert.
Agents or bank representatives can do more harm than good by minimizing a PCI problem ("You only have to do this") or attempting to address an issue they aren't equipped to solve. They need to know where their job ends and others' begin.
8. Failing to have a retention plan for PCI-averse merchants: Many acquirers are not prepared to handle merchants' PCI complaints. Your friendliest and most empathetic staff members should be assigned to troubleshoot these situations. In some cases, simply talking the merchant through the process will be enough.
In others, you may need an alternative solution such as changing the merchant's terminal configuration or processing procedures to reduce the points of vulnerability and subsequently the PCI requirements. Having a plan in place will dramatically reduce PCI-related attrition.
9. Neglecting to develop an enforcement strategy: If a merchant still fails to climb on the PCI train, you need a policy on how to proceed. Are you going to discontinue processing for that customer? Increase your reserve fund requirements to add a PCI cushion in addition to what you already have to meet refund requests should the company go out of business? Pay the PCI compliance fees for premium customers out of your own pocket? These policies need to be established before a problem arises.
10. Being reluctant to charge for PCI compliance services. Despite concerns that PCI fees will drive merchants away, the opposite happens; adoption rates actually increase when merchants have to pay upfront because they want to get what they paid for.
Merchants are also beginning to understand that PCI fees are simply a cost of doing business today - like security alarms, liability insurance and Web sites.
Putting together an effective Level 4 PCI program, of course, helps protect the acquirer as well as the merchant from financial liability in the event of a data breach. It can also be an important source of revenue.
And with more ISOs and merchant banks participating, there is less danger that merchants will jump ship and go to a less experienced ISO or bank.
But the quality of the program will dictate your level of success. Scrimping on necessities like human assistance to answer merchants' questions will backfire, either by frustrating your clients, steering them in the wrong direction or leaving holes in their security infrastructure.
That's a big risk to take, given fines of up to $500,000 per incident for failure to comply with PCI regulations. Keep that in mind as you set up your program.
John Bartholomew is Vice President of Sales at SecurityMetrics (www.securitymetrics.com), a provider of Payment Card Industry Data Security Standard security solutions. For more information, e-mail him at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next