The Green Sheet Online Edition
August 23, 2010 • Issue 10:08:02
Succeeding at PCI compliance - Part 4: Maintaining the program
In the world of Payment Card Industry (PCI) Data Security Standard (DSS) compliance, once is not enough. For merchants, adherence to PCI standards must not only be validated every year, but also vigilantly monitored to defend against new security threats, accommodate changes in regulatory standards and address internal information technology changes that may compromise cardholder data.
For acquirers, the same ongoing vigilance is required to keep a PCI compliance program running smoothly. Once you have planned, piloted and rolled out your program, the effort must be sustained to ensure that your merchant base not only climbs on board but also stays on the train.
This final article in the "Succeeding at PCI compliance" series contains guidelines for measuring and maintaining PCI success in your merchant portfolio.
Track program progress
When you established your PCI compliance program, you should have set specific campaign goals. Let's say you decided you want 80 percent of your merchant customers to enroll in your program and 70 percent of those to achieve PCI compliance in the first six months.
You will need to monitor your progress against that goal. Have you hit your target? Are you still moving the needle? Where are you falling short?
Different PCI compliance vendors provide distinct reporting mechanisms for keeping tabs on program status. For example, at First Data Corp., we have access to an online console where we can see detailed real-time information on overall campaign performance, including bar graphs and pie charts that display the data graphically.
We can also drill down to individual merchant scan and Self-Assessment Questionnaire (SAQ) results at any time, and determine at a glance how many merchants are up for renewal each month.
Regardless of your particular reporting format, check your benchmarks regularly. If you're not satisfied, discuss your concerns and potential remedies with your service provider. A mid-course correction may be in order.
Enforce your program rules
In Part 3 of this series, I briefly touched on the need to establish an enforcement policy for merchants who fail to participate in your PCI compliance program or neglect to follow through to achieve PCI validation.
One approach to enforcement is to give merchants time to become compliant and then impose a financial penalty on the outliers.
Options include a flat fee for every month the merchant fails to achieve or maintain compliance; a graduated penalty that increases at specific intervals (for example, every six months) for continued noncompliance; or an increase in your reserve fund requirements to cover potential PCI fines.
Smaller penalties tend to be ignored; be willing to modify your enforcement policy if circumstances warrant. At First Data, for example, the penalty originally adapted across the board was later lowered for our smallest merchants. The goal should not be to punish but to persuade.
Update merchant data
As the acquirer, it is your responsibility to inform your PCI compliance vendor of any changes in your merchant contact information or your merchant base itself. That includes new merchants, cancelled accounts, changed merchant IDs or contact names, and so on.
Work with your vendor to determine when it updates its database and whether it would like to receive the refreshed information by spreadsheet, text file or other means.
Conversely, it is your vendor's responsibility to keep you updated on your merchants' participation and compliance status. Smaller acquirers can typically import this information into their internal databases from their vendors' reporting systems if desired, but larger acquirers may need weekly or monthly file feeds because of the size of their portfolios.
This is the case with First Data. We use our service provider's online console to track and analyze our program performance, but because our merchant base exceeds 600,000, our vendor also supplies a data feed from which we update our internal records.
Have merchants report IT changes
In your communications with merchants, be sure to remind them to report any change in their technical environment to your PCI compliance vendor. A change such as new payment software, a new server, a switch from analog phone lines to high-speed Internet service for payment terminal connectivity or the addition of an online sales division will likely require a PCI status review. It may also dictate a switch to a different SAQ and a modification in scan requirements.
Changes that involve Internet protocol addresses are of particular concern. If the merchant adds online transactions or even basic functions such as email or employee Internet access, an Internet-based security scan may be required to help identify vulnerabilities.
If a scan was not previously required and a merchant fails to notify your vendor of such changes, that business's PCI compliance status may be jeopardized.
Publicize new security developments
Data security strategies are in a constant state of flux. Hackers invent new ways to invade networks. Card brands modify their PCI guidelines. The PCI Security Standards Council issues periodic updates, including a new version of the requirements that is expected to debut in late 2010.
Communicate changes like these to your merchant portfolio, both to protect merchants against new security threats and to alert them to new developments that may affect their PCI status.
Manage yearly renewals
Like a blood test, PCI compliance validation represents a point in time. And it has to be repeated because of the many variables in the merchant environment that can affect a pass or fail mark.
Together, you and your PCI vendor have a responsibility to ensure that your merchants understand the rules and adhere to the renewal schedule.
That means sending reminders about quarterly vulnerability scans for the merchants who require them, as well as alerting merchants when they fail a scan or neglect to schedule one if required.
It also means informing merchants 30 to 60 days before their yearly PCI services agreement is set to expire and supplying re-enrollment instructions, including the need to complete a new SAQ. A good PCI vendor will handle these renewal chores so you don't have to.
Make an ongoing commitment
Remember, launching a PCI compliance program is the first step in what must be an ongoing commitment to helping your merchants keep customer cardholder data safely under lock and key.
Maintain a watchdog role, which may mean enlisting the help of an expert PCI vendor to avoid bringing the burden and associated costs in-house. You have multiple incentives to do a good job - including the threat of fines to merchants for PCI-related security breaches.
The previous articles in this series published by The Green Sheet include "Succeeding at PCI compliance - Part 1: Planning the initial rollout," May 24, 2010, issue 10:05:02; "Succeeding at PCI compliance - Part 2: Executing an effective pilot program," June 28, 2010, issue 10:06:02; and "Succeeding at PCI compliance - Part 3: Implementing the rollout," July 26, 2010, issue 10:07:02.
Hopefully, the guidelines provided in these articles will help you build a strong, cost-effective program that will keep you and your merchants in the PCI's good graces.
Dawn M. Martinez is Director of Data Security for First Data Corp. In this role, she oversees PCI compliance and data security initiatives for thousands of bank partners, ISO clients and merchants. Contact her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.