The Green Sheet Online Edition
May 24, 2010 • Issue 10:05:02
Succeeding at PCI compliance - Part 1:
Planning the initial rollout
Running a successful Payment Card Industry (PCI) Data Security Standard (DSS) compliance program can be daunting. While most merchants presumably understand the need to prevent the theft of credit card data, many may not understand or have the patience for taking the steps required to meet all PCI requirements. Rightly or wrongly - usually wrongly for smaller merchants - they may perceive the road to PCI compliance as being bumpy and thus resist the journey every step of the way.
Acquiring banks and ISOs can ease this burden through a careful program rollout. In this series of articles, I will highlight First Data Corp.'s strategy for guiding the more than 600,000 merchants in our portfolio through the PCI DSS process, beginning with the planning stage of a PCI compliance rollout.
Know your merchants
Understanding your merchant base is the foundation for a successful rollout. Ask yourself the following: Do you fully understand the type of compliance your merchants require? How well do you know their systems? How savvy are they with technology in general and the Internet in particular?
Also, what is their preferred method of communication? Is it email? Fax? Phone? Knowing the answers to these questions can help smooth the way to implementing your program.
The first questions your merchants ask will likely involve cost. Pricing is always a sensitive issue, and the imposition of new fees can generate immediate resistance. Because not every merchant needs the same level of service or is prepared to pay in the same manner, fee structures can be confusing.
It is important that your fee structure is simple and that your merchants can clearly see how these fees are tied to the benefits of PCI compliance. If pricing seems to strain the relationship, either the price needs to be adjusted or the benefits need to be better understood.
Choosing a PCI compliance partner
The most critical aspect to PCI compliance program success is choosing the right partner. We live in a society of specialization. Selecting an expert who specializes in helping merchants achieve PCI compliance can make your life easier and allow you to focus on your own areas of expertise.
Several good vendors offer PCI compliance services. It's your responsibility to find the vendor that meets your specific needs. Here are some of the criteria we used.
First, we were looking for a trusted partner who would work with us, not for us. That meant finding a vendor who would be fully invested in our goals and objectives, including being sure merchants not only enrolled in our program, but also followed through to compliance. It also meant finding a partner willing to provide, as well as receive, feedback. A trusted partner will share what needs to be said, not just what you want to hear, and allow you to do the same.
One measurement is how often the vendor will update its systems based on user and acquirer feedback. How willing is the vendor to listen to suggestions for improving or adapting products and solutions to meet your needs? Also, does the vendor measure success (that is, compliance), or just activity (that is, merchant enrollment in your program)? This distinction is critical.
The human touch
The next key factor is the level of support offered. Our experience suggests that Level 4 merchants need to speak with human beings to understand and comply with PCI requirements.
We spent considerable time and money providing video training, letter-drop campaigns and other means to train and motivate our merchants, yet we still had calls from merchants asking questions that we had elaborately answered in other media.
It is worth the cost to partner with a vendor who has more than web-based or email support to answer these questions. If merchants don't understand a question or feel overwhelmed with the paperwork, they should have access to a phone center with dedicated, knowledgeable and friendly consultants who will walk them through any challenges they face.
In choosing our PCI compliance partner, we therefore looked for a vendor with a live support team that did not simply read from a script. We sought trained professionals who took adequate time to understand our merchants' operations and processes. Learning to swim is easier with an instructor who stays by your side rather than with one who pushes you into the deep end.
Merchant reporting is also important. Make sure the vendor reporting matches the expectations and knowledge base of your merchants. If the reporting results are too complex, your merchants will likely spend their time and money on other aspects of their business rather than pursue compliance.
An online dashboard makes managing and analyzing your reports much easier. We enjoy online access to a reporting console that presents the information we need in an easily understandable manner. Make sure the vendor you choose does not rely on hard-copy reports only.
A good reporting relationship facilitates accurate and accessible reports up the information chain to executive management, as well as out to your merchants. In our industry, information is as important as the electronic currency we are exchanging.
Run a pilot first
Finally, there are two optional elements to getting your PCI compliance program off the ground. First, consider assigning a project manager to help put all the pieces in place, monitor your progress and serve as chief problem-solver when the need arises. Second, run a pilot program with the vendor you are considering, even if you have a previous relationship with the vendor in another aspect of your business.
As I will explain in the next installment of this series, this will separate and expose promises from actual delivery. It will help you understand your capacity as well as that of your vendor. It will give you peace of mind and provide clearer expectations.
As with any undertaking, carefully planning a PCI compliance program rollout will streamline implementation and improve your success rate. It's like building a house: you need the blueprint before you lay the first brick.
Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.