GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Payment fraud, rising to the challenge

Patti Murphy
The Takoma Group


Industry Update

Did hackers gain insight into RSA's methodology?

Comodo compromise draws swift response

PCI SSC dials up call center compliance

Fifth Third seeks innovation through open platform

Trade Association News


Do Tell

Innovations in check scanners

David Peterson

B2B payment fraud

Integrating your marketing efforts

Selling Prepaid

Prepaid in brief

Momentum builds for maritime cards

Providing prepaid self-serve for global markets


PII and merchant portfolio acquisition

Daniel Federgreen

Social redemption at the POS

Paul Rasori
VeriFone Inc.


Street SmartsSM:
Straight talk on professional certification

Bill Pirtle
MPCT Publishing Co.

Leads, leads, leads - Part 3: Lead nurturing

Peggy Bekavac Olson
Strategic Marketing

Coach your way to a stronger organization

Vicki M. Daughdrill
Small Business Resources LLC

Projecting confidence, inspiring trust

Jeff Fortney
Clearant LLC

How to reboot a stalled PCI program

Tim Cranny
Panoptic Security Inc.

A brief on prospecting

Jeffrey Shavitz
Charge Card Systems Inc.

Company Profile

Merchant Implementation Services

New Products

A CRM solution for MLSs

Powerhouse Sales Agent CRM
Powerhouse Payments LLC


Stick with the truth


10 Years ago in
The Green Sheet


Resource Guide



2011 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

April 11, 2011  •  Issue 11:04:01

previous next

How to reboot a stalled PCI program

By Tim Cranny

As ISOs, merchant level salespeople, processors and banks become more comfortable with the Payment Card Industry (PCI) Data Security Standard (DSS), some old pains and problems are becoming more manageable. But newer issues are coming to the fore. The biggest issue is a growing number of ISOs who have invested time and effort into their PCI programs, only to find a year or so later that too few merchants are compliant, and the numbers are not improving. Their PCI programs have stalled.

This article will talk about how to avoid that fate, as well as how to escape from it if you find yourself already stuck there.

The stumbling blocks

There are two main stumbling blocks to a thriving PCI program that need to be solved (since there's not much payoff in getting past one obstacle just to stall again a little further down the road).

The first stumbling block is the more obvious one. It occurs when merchants need expert assistance with their Self-Assessment Questionnaires (SAQs) because the requirements are full of jargon and technical details they haven't encountered before.

A range of vendors can help in this regard (some more than others), and the key is to remember that putting the SAQ online doesn't achieve anything by itself; it's only useful if the online tool gives merchants additional expert guidance and assistance.

The information provided online needs to be more than a FAQ and glossary. It should include intelligent software that takes one simple fact (such as the identification of which terminal a given merchant is using) and, based on that data, automatically pre-answers a whole slew of questions for the merchant. For example, it could answer whether the merchant is connected to the Internet, whether the merchant stores cardholder information post-authorization and whether cardholder data communications are encrypted.

The second, and probably more significant, stumbling block occurs at the aggregator level, such as the ISO, processor or bank. Hard experience has proven that successful PCI programs don't just happen. Someone who has the right tools, resources and insights at his or her fingertips needs to make them happen. So all these organizations need to make sure qualified individuals are identified and taking responsibility for their PCI programs.

The tools for success

To make your PCI program a success, or to reboot a stalled program, you need:

The right message

In reaching out to various merchant subgroups, it is important to use email, phone, and regular mail because no one method is right for every merchant in every circumstance.

You need the flexibility to be able to send one type of message, with exactly the right wording, when targeting merchants who have been slow to start their program and another type of message, with different language and tone, when targeting merchants who have almost finished the process but have forgotten a few minor procedural steps. Similarly, merchants who are struggling with the process need to be treated differently again.

When you combine detailed insights and targeting with the ability to effectively reach out to merchants, you have the ingredients needed to make your PCI program an active success.

At that point, an ISO with these tools is in a far better position than 95 percent of the ISOs out there. The only real stumbling block left is that many ISOs simply aren't PCI experts and don't feel confident about giving advice to their merchants on these issues.

The need for assistance

It's critical to remember that a successful PCI program is not going to be built by technology alone. A successful program requires an in-house team of PCI experts or the right partnerships. We know of a very small number of ISOs and banks with the resources to do this sort of work in-house.

For most organizations, the answer lies in partnering with a specialist PCI provider that can provide the necessary tools and work closely with in-house staff to cover the whole spectrum of technology, security, customer support and program management issues.

I regularly see failed or stalled PCI programs where the portfolio owners thought the problem would simply go away if they bought a product, and who are now seeing that they need the right combination of products, services and partnerships to get their PCI program back on its feet and moving forward.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios