GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The ACH, staking new channel claims


Industry Update

Tepid summer for many Gulf Coast merchants

Can the IRS legally attach levies to ISO reserve accounts?

Trade Association News


GS Advisory Board:
Merchant retention, taking the initiative - Part 2

Selling Prepaid

Prepaid in brief

Dynamics of the youth card market

Gift cards: Value multiplier for merchants

Thom Aldredge
World Gift Card


Securing a place for electronic payments

Patti Murphy
The Takoma Group

The allure of end-to-end encryption

Scott Henry
VeriFone Inc.

Uncle Sam might want to pin worker misclassification on you

Sarah Weston
Jaffe, Raitt, Heuer & Weiss PC


Street SmartsSM:
Who will benefit when the Durbin Amendment dust settles?

Ken Musante
Eureka Payments LLC

The importance of PCI DSS compliance

Nicholas Cucci
Network Merchants Inc.

Is there any such thing as loyalty?

Nancy Drexler
SignaPay Ltd.

Need intelligence? Tap the feet on the street

Dale S. Laszig
Castles Technology Co. Ltd.

Succeeding at PCI compliance - Part 3: Implementing the rollout

Dawn M. Martinez
First Data Corp.

Global acquiring and fraud Q&A

Caroline Hometh

Company Profile

Netcom PaySystem

New Products

RDC on the fly

QwikDeposit To Go
Bluepoint Solutions

Multipayment and multimedia at the POS



Nothing fancy needed


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 26, 2010  •  Issue 10:07:02

previous next

Succeeding at PCI compliance - Part 3: Implementing the rollout

By Dawn M. Martinez

In previous articles in this series about developing a successful Payment Card Industry (PCI) Data Security Standard (DSS) compliance program for your merchant portfolio, I have discussed the importance of understanding your merchants, outlined the selection criteria used at First Data Corp. in choosing a PCI compliance vendor and presented guidelines for running a pilot program.

Now let's turn to implementing your rollout plan. Here you'll appreciate how the right vendor makes the implementation go smoothly.

Project plan

The first step to a successful implementation is to work closely with your PCI compliance vendor to develop a rollout plan that makes communication clear with all parties and ensures that all participants understand their roles.

Flexibility should be built in to react to unexpected events or the unique characteristics of your portfolio. You might get a quicker response from your merchants than you expected, for example, or you may encounter unforeseen communication challenges.

When your plan is in place and you are ready to implement, allow yourself plenty of ramp-up time. Easing into the process will help you manage it. Take time to test your processes and systems with your vendor and a small group of merchants. Make sure the test goes smoothly before rolling it out to your entire portfolio.

Introducing the vendor

When your merchants receive communications from your PCI compliance vendor, it is important for them to understand who the third party is and the vendor's role in the process. Lay the groundwork with a letter of introduction and explanation. Even then, expect questions.

In our case, many merchants didn't read the initial communications and called us for clarification after receiving letters from the vendor. Be prepared to answer basic questions over the phone, and instruct your staff where to transfer merchant phone calls regarding your PCI compliance program.

Our interactive voice response system includes a prompt that refers this type of call directly to our vendor phone center. This is why our criteria for choosing a PCI compliance vendor included a friendly, responsive call center. If our merchants are confused, they can simply call our vendor to resolve the issue and learn the next steps.

Acquirer-vendor communication

Effective communication with your vendor is also crucial. You will need to decide which methods work best for you. My personal preference is email, but I can also reach my primary vendor contact by phone for an issue of immediate concern.

I have also established a contingency plan if my primary contact is unavailable. I know a team of individuals is prepared to consult with me whenever I need them.

Equally important are our regularly scheduled phone calls. I have found that these conversations help ensure that things go as planned. The call doesn't have to be lengthy, but connecting on a set schedule keeps us on track.

Multiple merchant communication channels

A successful PCI program rollout relies heavily on a solid merchant communication plan. It should include multiple forms of communication and technology. Email is great but should be supplemented with fax, website information or even physical letter drops. Webinars may be another source for up-to-date training and information distribution.

Don't be discouraged if you have sent multiple messages to merchants without response. Once is usually not enough. Also, whenever a communication is sent from your PCI compliance vendor, be sure that your company name is clearly referenced along with your website, logo or other identifying mark. Otherwise, the message may be dismissed as a solicitation from an unknown company.

Finally, while we believe that referring merchants to a website alone is not enough, there is a lot to be said for offering web content as one component in the communication chain.

Our PCI compliance vendor, for example, offers online video and audio segments for specific instruction that makes it easier for our merchants to get help. The 24/7 access is useful as well.

Existing vendor relationships

I encourage merchants to research and seek information on PCI compliance from other resources. The more information they have, the better prepared they will be when you introduce your program.

When you begin your rollout, if some of your merchants have already started their own programs using different vendors than the one you chose, let them know they can use theirs or yours. But also explain the expected benefits they will realize with your selection.

Overcoming resistance

Inevitably, some merchants will balk at your PCI initiative. Their objections may range from cost to discomfort with technology, or they may simply not understand the risks of ignoring PCI requirements. You should factor this into your implementation plan.

For some, the answer is simply education. You will need to spend time explaining how you have simplified the compliance process, giving basic instructions such as, "Call this number."

Most important, emphasize the value of PCI compliance in thwarting a potential security breach that could ruin the merchant's business. I stress the risk of card data theft to all of my merchants - not just the ones I might consider high risk - along with the ability of PCI compliance to reduce the threat.

For merchants with cost concerns and sensitivity to additional fees, you will need to provide the same information in the context of what they get for their money.

Some of your merchants will understand the cost and benefit of your program and enroll right away. Others will need an incentive or a potential penalty to achieve PCI compliance by a certain date.

One approach is to give your merchants time to become compliant, and then levy a fee if they fail to meet the deadline. Start first with positive encouragement and support; then ensure there are consequences for ignoring your request.

It can be a tricky balance between leading and pushing your merchants to embrace your PCI program. But if you have put all the pieces in place as described in this series, you have the ingredients for a successful rollout and rapid PCI compliance for your merchant portfolio.

Look for my next installment, "Succeeding at PCI compliance - Part 4: Maintaining the program," in The Green Sheet, Aug. 23, 2010, issue 10:08:02.

Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios