The Green Sheet Online Edition
July 12, 2010 • Issue 10:07:01
Building a PCI program that works
Complying with the Payment Card Industry (PCI) Data Security Standard (DSS) is rapidly becoming an unavoidable part of business for ISOs and their merchants. Most ISOs are now either putting together a PCI program or reviewing their existing solutions and partnerships.
This process deserves careful thought because the right program can increase customer loyalty and satisfaction, while a poorly designed or implemented program will drive merchants away. Here are seven lessons to consider when building a PCI program:
1. Do-it-yourself requires expertise
The issue: It can be tempting to put together your own PCI program to save money (and avoid sharing revenue with partners), but industry experience shows that this is almost always an expensive mistake.
Creating an effective program for your merchants by referring to the PCI Security Standards Council's website, articles such as this one or PCI webinar transcripts, for example, is not something most ISOs and merchant level salespeople have the requisite knowledge and experience to do.
Such resources are important, but relying on them alone is not the way to build an effective solution.
Also, a program that has not had substantial input from security and software development experts during its planning stages will anger or frustrate merchants, who will then demand extensive support. A do-it-yourself approach requires you to be a security services company and a software company, as well as an ISO.
What to do about it: Putting together your own PCI program makes sense only if you have a deep bench of security experts and software developers and can afford a year or so of development time.
If that isn't the case, partnering with a specialist security company makes much more sense; such a specialized company already has the solutions built and available in addition to experience gathered from multiple deployments.
2. Soft costs can kill you
The issue: PCI compliance is genuinely tough for merchants, and smaller merchants in particular cannot call on some mythical internal technical staff to handle it, nor can they afford to hire consultants. If your PCI program does not clamp down hard on support issues, the workload will flow back to you, producing a completely new set of problems and expenses that increase the upfront costs.
What to do about it: You need to make sure your program goes beyond just offering some FAQs and phone- or chat-support; a successful program actively helps merchants avoid problems and support calls.
A balancing act is needed: the solution has to help merchants and guide them around dangers, but it must not cheat by offering them something akin to an "are you compliant?" one-button escape path. Some vendors choose this path because it is technically easy, but in reality, this tactic exposes you and your merchants to significant legal and financial risk.
3. Cheap is expensive
The issue: Too many ISOs see only the explicit costs of PCI compliance and look for a minimal program with low costs. This usually translates into low-end technology and minimal merchant assistance and makes avoiding or solving problems quickly and easily almost impossible.
Suddenly, you're back into the territory of death-by-soft-costs. Low-tech solutions also tend to lock in inefficiencies that come from having limited tools to manage your portfolio.
What to do about it: This isn't a particularly complicated issue; it boils down to judging partners on more than just price. Merchant assistance, portfolio management tools and remediation services are the three main areas that deserve consideration if you are going to avoid false economies.
4. Remediation is critical
The issue: Too many people talk about PCI for smaller merchants as if it were really all about the Self-Assessment Questionnaire (SAQ). And no consideration is given to whether or not the merchant actually passes the assessment. This is horribly shortsighted (but reflects the feeling on the part of some vendors that helping merchants with remediation is difficult, so they should avoid it).
The bottom line, though, is that merchants must get assistance with fixing their failures.
What to do about it: Fortunately, many vendors do help merchants by creating and managing their remediation program. ISOs should weigh this factor heavily in partner selection.
5. Communication is vital
The issue: Treating PCI DSS compliance as something to be done once and then forgotten leads to merchants stalling halfway through the process. This inefficient approach makes return on investment unlikely.
What to do about it: A successful PCI program must include ongoing communication with the merchant. Continual engagement helps maximize compliance rates and prevent merchant confusion and anger.
Make sure that the program makes progress visible to your merchants because nothing discourages people more than the sense that they are on a treadmill and will never get anywhere despite all their efforts.
6. Customization provides opportunity
The issue: PCI is a pain for your merchants, and that creates an opportunity for you to improve your relationships with your merchant customers. You can be seen as a shield against the pain and confusion. That can't happen if the program you put in place is a generic or cookie-cutter solution.
What to do about it: Look for a solution that is set up so visible benefits and assistance appear to come from you. That doesn't mean it has to be a solution you built yourself; some next-generation solution providers have a business model that gives you the credit.
Another benefit of customization (if done right) is the ability to build a customized portfolio and business model. Some PCI partners can provide your merchants with easy access to products and services, making the PCI process an up-sell opportunity.
7. Portfolio knowledge aids outreach
The issue: PCI puts demands on your knowledge of your portfolio, and that can be time-consuming and difficult. For example, do you know precisely what payment applications and security services your merchants are using?
On the positive, this research offers a chance to learn more about your portfolio and how to manage it more efficiently.
What to do about it: Look for a program that focuses on giving you a comprehensive reporting and business intelligence framework. This can be much more than just some aggregate reports. Look for the ability to drill down to individual merchants and do efficient, targeted merchant outreach for remediation issues.
Be aware that you can't learn from the process if you don't set it up correctly from the first day. If you just send out SAQs to your merchants (or just put the forms up on a website) you won't gather the right information, and there will be nothing to fuel your learning process later on.
A well-planned PCI program
Most ISOs are still coming to grips with PCI, and many are struggling with the question of how to put the right program in place. Helping merchants find the right approach reduces your legal and financial exposure, improves the security of your merchants and their customers, and deepens and improves your relationship with your portfolio.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.