The Green Sheet Online Edition
July 26, 2010 • Issue 10:07:02
Succeeding at PCI compliance - Part 3: Implementing the rollout
In previous articles in this series about developing a successful Payment Card Industry (PCI) Data Security Standard (DSS) compliance program for your merchant portfolio, I have discussed the importance of understanding your merchants, outlined the selection criteria used at First Data Corp. in choosing a PCI compliance vendor and presented guidelines for running a pilot program.
Now let's turn to implementing your rollout plan. Here you'll appreciate how the right vendor makes the implementation go smoothly.
The first step to a successful implementation is to work closely with your PCI compliance vendor to develop a rollout plan that makes communication clear with all parties and ensures that all participants understand their roles.
Flexibility should be built in to react to unexpected events or the unique characteristics of your portfolio. You might get a quicker response from your merchants than you expected, for example, or you may encounter unforeseen communication challenges.
When your plan is in place and you are ready to implement, allow yourself plenty of ramp-up time. Easing into the process will help you manage it. Take time to test your processes and systems with your vendor and a small group of merchants. Make sure the test goes smoothly before rolling it out to your entire portfolio.
Introducing the vendor
When your merchants receive communications from your PCI compliance vendor, it is important for them to understand who the third party is and the vendor's role in the process. Lay the groundwork with a letter of introduction and explanation. Even then, expect questions.
In our case, many merchants didn't read the initial communications and called us for clarification after receiving letters from the vendor. Be prepared to answer basic questions over the phone, and instruct your staff where to transfer merchant phone calls regarding your PCI compliance program.
Our interactive voice response system includes a prompt that refers this type of call directly to our vendor phone center. This is why our criteria for choosing a PCI compliance vendor included a friendly, responsive call center. If our merchants are confused, they can simply call our vendor to resolve the issue and learn the next steps.
Effective communication with your vendor is also crucial. You will need to decide which methods work best for you. My personal preference is email, but I can also reach my primary vendor contact by phone for an issue of immediate concern.
I have also established a contingency plan if my primary contact is unavailable. I know a team of individuals is prepared to consult with me whenever I need them.
Equally important are our regularly scheduled phone calls. I have found that these conversations help ensure that things go as planned. The call doesn't have to be lengthy, but connecting on a set schedule keeps us on track.
Multiple merchant communication channels
A successful PCI program rollout relies heavily on a solid merchant communication plan. It should include multiple forms of communication and technology. Email is great but should be supplemented with fax, website information or even physical letter drops. Webinars may be another source for up-to-date training and information distribution.
Don't be discouraged if you have sent multiple messages to merchants without response. Once is usually not enough. Also, whenever a communication is sent from your PCI compliance vendor, be sure that your company name is clearly referenced along with your website, logo or other identifying mark. Otherwise, the message may be dismissed as a solicitation from an unknown company.
Finally, while we believe that referring merchants to a website alone is not enough, there is a lot to be said for offering web content as one component in the communication chain.
Our PCI compliance vendor, for example, offers online video and audio segments for specific instruction that makes it easier for our merchants to get help. The 24/7 access is useful as well.
Existing vendor relationships
I encourage merchants to research and seek information on PCI compliance from other resources. The more information they have, the better prepared they will be when you introduce your program.
When you begin your rollout, if some of your merchants have already started their own programs using different vendors than the one you chose, let them know they can use theirs or yours. But also explain the expected benefits they will realize with your selection.
Inevitably, some merchants will balk at your PCI initiative. Their objections may range from cost to discomfort with technology, or they may simply not understand the risks of ignoring PCI requirements. You should factor this into your implementation plan.
For some, the answer is simply education. You will need to spend time explaining how you have simplified the compliance process, giving basic instructions such as, "Call this number."
Most important, emphasize the value of PCI compliance in thwarting a potential security breach that could ruin the merchant's business. I stress the risk of card data theft to all of my merchants - not just the ones I might consider high risk - along with the ability of PCI compliance to reduce the threat.
For merchants with cost concerns and sensitivity to additional fees, you will need to provide the same information in the context of what they get for their money.
Some of your merchants will understand the cost and benefit of your program and enroll right away. Others will need an incentive or a potential penalty to achieve PCI compliance by a certain date.
One approach is to give your merchants time to become compliant, and then levy a fee if they fail to meet the deadline. Start first with positive encouragement and support; then ensure there are consequences for ignoring your request.
It can be a tricky balance between leading and pushing your merchants to embrace your PCI program. But if you have put all the pieces in place as described in this series, you have the ingredients for a successful rollout and rapid PCI compliance for your merchant portfolio.
Look for my next installment, "Succeeding at PCI compliance - Part 4: Maintaining the program," in The Green Sheet, Aug. 23, 2010, issue 10:08:02.
Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.