By Tim Cranny
Panoptic Security Inc.
Complying with the Payment Card Industry (PCI) Data Security Standard (DSS) is rapidly becoming an unavoidable part of business for ISOs and their merchants. Most ISOs are now either putting together a PCI program or reviewing their existing solutions and partnerships.
This process deserves careful thought because the right program can increase customer loyalty and satisfaction, while a poorly designed or implemented program will drive merchants away. Here are seven lessons to consider when building a PCI program:
Creating an effective program for your merchants by referring to the PCI Security Standards Council's website, articles such as this one or PCI webinar transcripts, for example, is not something most ISOs and merchant level salespeople have the requisite knowledge and experience to do.
Such resources are important, but relying on them alone is not the way to build an effective solution.
Also, a program that has not had substantial input from security and software development experts during its planning stages will anger or frustrate merchants, who will then demand extensive support. A do-it-yourself approach requires you to be a security services company and a software company, as well as an ISO.
What to do about it: Putting together your own PCI program makes sense only if you have a deep bench of security experts and software developers and can afford a year or so of development time.
If that isn't the case, partnering with a specialist security company makes much more sense; such a specialized company already has the solutions built and available in addition to experience gathered from multiple deployments.
What to do about it: You need to make sure your program goes beyond just offering some FAQs and phone- or chat-support; a successful program actively helps merchants avoid problems and support calls.
A balancing act is needed: the solution has to help merchants and guide them around dangers, but it must not cheat by offering them something akin to an "are you compliant?" one-button escape path. Some vendors choose this path because it is technically easy, but in reality, this tactic exposes you and your merchants to significant legal and financial risk.
Suddenly, you're back into the territory of death-by-soft-costs. Low-tech solutions also tend to lock in inefficiencies that come from having limited tools to manage your portfolio.
What to do about it: This isn't a particularly complicated issue; it boils down to judging partners on more than just price. Merchant assistance, portfolio management tools and remediation services are the three main areas that deserve consideration if you are going to avoid false economies.
The bottom line, though, is that merchants must get assistance with fixing their failures.
What to do about it: Fortunately, many vendors do help merchants by creating and managing their remediation program. ISOs should weigh this factor heavily in partner selection.
What to do about it: A successful PCI program must include ongoing communication with the merchant. Continual engagement helps maximize compliance rates and prevent merchant confusion and anger.
Make sure that the program makes progress visible to your merchants because nothing discourages people more than the sense that they are on a treadmill and will never get anywhere despite all their efforts.
What to do about it: Look for a solution that is set up so visible benefits and assistance appear to come from you. That doesn't mean it has to be a solution you built yourself; some next-generation solution providers have a business model that gives you the credit.
Another benefit of customization (if done right) is the ability to build a customized portfolio and business model. Some PCI partners can provide your merchants with easy access to products and services, making the PCI process an up-sell opportunity.
On the positive, this research offers a chance to learn more about your portfolio and how to manage it more efficiently.
What to do about it: Look for a program that focuses on giving you a comprehensive reporting and business intelligence framework. This can be much more than just some aggregate reports. Look for the ability to drill down to individual merchants and do efficient, targeted merchant outreach for remediation issues.
Be aware that you can't learn from the process if you don't set it up correctly from the first day. If you just send out SAQs to your merchants (or just put the forms up on a website) you won't gather the right information, and there will be nothing to fuel your learning process later on.
Most ISOs are still coming to grips with PCI, and many are struggling with the question of how to put the right program in place. Helping merchants find the right approach reduces your legal and financial exposure, improves the security of your merchants and their customers, and deepens and improves your relationship with your portfolio.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at email@example.com or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next