The Green Sheet Online Edition
April 11, 2011 • Issue 11:04:01
How to reboot a stalled PCI program
As ISOs, merchant level salespeople, processors and banks become more comfortable with the Payment Card Industry (PCI) Data Security Standard (DSS), some old pains and problems are becoming more manageable. But newer issues are coming to the fore. The biggest issue is a growing number of ISOs who have invested time and effort into their PCI programs, only to find a year or so later that too few merchants are compliant, and the numbers are not improving. Their PCI programs have stalled.
This article will talk about how to avoid that fate, as well as how to escape from it if you find yourself already stuck there.
The stumbling blocks
There are two main stumbling blocks to a thriving PCI program that need to be solved (since there's not much payoff in getting past one obstacle just to stall again a little further down the road).
The first stumbling block is the more obvious one. It occurs when merchants need expert assistance with their Self-Assessment Questionnaires (SAQs) because the requirements are full of jargon and technical details they haven't encountered before.
A range of vendors can help in this regard (some more than others), and the key is to remember that putting the SAQ online doesn't achieve anything by itself; it's only useful if the online tool gives merchants additional expert guidance and assistance.
The information provided online needs to be more than a FAQ and glossary. It should include intelligent software that takes one simple fact (such as the identification of which terminal a given merchant is using) and, based on that data, automatically pre-answers a whole slew of questions for the merchant. For example, it could answer whether the merchant is connected to the Internet, whether the merchant stores cardholder information post-authorization and whether cardholder data communications are encrypted.
The second, and probably more significant, stumbling block occurs at the aggregator level, such as the ISO, processor or bank. Hard experience has proven that successful PCI programs don't just happen. Someone who has the right tools, resources and insights at his or her fingertips needs to make them happen. So all these organizations need to make sure qualified individuals are identified and taking responsibility for their PCI programs.
The tools for success
To make your PCI program a success, or to reboot a stalled program, you need:
- Always-available and instant insight into what is going on in the portfolio at every level of detail. This means you must be able to see, at a moment's notice, the answer to questions such as: Where, specifically, in the whole process are my merchants stalling?
Based on today's latest data, what percentage of my merchants has failed Milestone 3? or What is the trend-line on completion rates over time?
It is also surprisingly usefulto be able to cross-reference and combine these queries, and get quick answers to questions such as: How many of my merchants in California are SAQ C and thus need scans and are falling behind on their remediation plan? (SAQ C is a questionnaire for merchants with payment application systems connected to the Internet, but who don't store cardholder data.)
- The ability to drill down from these high-level views to seeing every real-time detail on a specific merchant. Experience shows this is an invaluable tool for support and merchant assistance, regardless of whether that support is done in-house or by a PCI compliance vendor.
- Tools that facilitate active portfolio management by enabling tasks like adding merchants in bulk to a portfolio, deleting merchants, categorizing them into groups or conducting detailed search-and-filter analyses of merchant subgroups.
- The ability to communicate directly with exactly the right subgroups of merchants, at exactly the right time. Without this ability, analysis and insight tools cannot inform or empower anyone. If the news is bad, it can feel a bit like watching a house slowly burn down for lack of a firehose. Insights only really come to life when tools are at hand to turn them into solutions.
The right message
In reaching out to various merchant subgroups, it is important to use email, phone, and regular mail because no one method is right for every merchant in every circumstance.
You need the flexibility to be able to send one type of message, with exactly the right wording, when targeting merchants who have been slow to start their program and another type of message, with different language and tone, when targeting merchants who have almost finished the process but have forgotten a few minor procedural steps. Similarly, merchants who are struggling with the process need to be treated differently again.
When you combine detailed insights and targeting with the ability to effectively reach out to merchants, you have the ingredients needed to make your PCI program an active success.
At that point, an ISO with these tools is in a far better position than 95 percent of the ISOs out there. The only real stumbling block left is that many ISOs simply aren't PCI experts and don't feel confident about giving advice to their merchants on these issues.
The need for assistance
It's critical to remember that a successful PCI program is not going to be built by technology alone. A successful program requires an in-house team of PCI experts or the right partnerships. We know of a very small number of ISOs and banks with the resources to do this sort of work in-house.
For most organizations, the answer lies in partnering with a specialist PCI provider that can provide the necessary tools and work closely with in-house staff to cover the whole spectrum of technology, security, customer support and program management issues.
I regularly see failed or stalled PCI programs where the portfolio owners thought the problem would simply go away if they bought a product, and who are now seeing that they need the right combination of products, services and partnerships to get their PCI program back on its feet and moving forward.
Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at firstname.lastname@example.org or 801-599 3454.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.