GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The Sony breach is not a game


Industry Update

Legislation in the works

Webinar delves into fraud threats, solutions

Texting for redemption at the ETA

Verizon, Secret Service release data breach report


GS Advisory Board:
Views on regulation and registration

The triple bottom line: people, planet, profits

Ken Musante
Interviews: Jeff Marcous

Research Rundown

Selling Prepaid

Prepaid in brief

IQPC survey raises regulatory alarm

USPS to sell AmEx gift cards


Mobilizing banking's payment franchise

Patti Murphy


Street SmartsSM:
Is now the time for registration?

Bill Pirtle
MPCT Publishing Co.

Technology game changers

Dale S. Laszig
Castles Technology Co. Ltd.

Raising the bar on PCI compliance

Heather Foster
ControlScan Inc.

Social media as a sales tool

Nicholas Cucci
Network Merchants Inc.

Company Profile

Paragon Application Systems Inc.

New Products

The mobile business card

Txt Biz Card
Field Guide Enterprises LLC


Spurring sales with valued-added verbs



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 23, 2011  •  Issue 11:05:02

previous next

Raising the bar on PCI compliance

By Heather Foster

At this point, anyone reading this article is familiar with the Payment Card Industry (PCI) Data Security Standard (DSS) and the Dec. 31, 2011, deadline for PCI DSS 2.0 compliance. While you may understand the above deadline is only seven months away, you may be concerned about the progress being made by your Level 4 merchants toward compliance and at the overall compliance rates in your portfolios.

How a Level 4 merchant can become PCI compliant

  1. Identify merchant validation type.
  2. Complete the Self-Assessment Questionnaire (SAQ) version appropriate for the merchant's business.
  3. Complete the relevant Attestation of Compliance in it is entirety.
  4. For merchants who require vulnerability scanning, complete and obtain evidence of a passing scan from an Approved Scanning Vendor.
  5. Submit validation documentation to ISO/acquirer as required (To maintain compliance, revalidate the SAQ every year, and do a scan every quarter.)

In an October 2010 research report by ControlScan Inc. and Merchant Warehouse entitled Diversity Reigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, a glimpse is given into how small and mid-sized merchants perceive data security and the steps they take to protect sensitive information.

When asked about their familiarity with PCI DSS, a majority of micro-merchants (businesses that employ fewer than 10 employees and rarely process more than 250,000 credit card transactions annually) were either "unsure" of the standard or "not at all familiar with it." The remaining micro-merchants were familiar with the guidelines to some degree, but only 16 percent were "very familiar with the standard."

Unfortunately, an ISO's exposure to PCI and understanding the importance of the PCI DSS may not be mirrored by its portfolio of small merchants. The survey points to the need for ISOs and acquirers to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security postures.

This article will explore how ISOs can take the information they are absorbing and use it as a means to drive merchant engagement, increase compliance rates and, ultimately, reduce risk for you and your merchants.

Set the context for compliance

Most small to mid-sized merchants are unsure of where to begin the PCI compliance process and can become overwhelmed quickly. Unlike larger merchants faced with PCI issues every day due to monthly or even weekly transaction volumes surpassing 250,000, Level 4 merchants, especially micro-merchants, need more context setting at the start. They should be educated on the fundamentals of PCI compliance, why they are required to comply with it and how it benefits their businesses.

However, sending the same messages or correspondence to all of your merchants, regardless of size and type, is not an effective approach to PCI compliance education. Instead, leverage your PCI compliance solutions provider to segment the types of businesses in your portfolio. From there, you can evaluate their risk levels and better tailor PCI education to increase the likelihood of action. Below are common characteristics, which can be the starting point for portfolio segmentation.

Segmentation can also be based on the industry in which merchants operate (such as retail, hospitality, health care or service sectors) and method of processing (such as POS, terminal or shopping cart).

Overcoming misconceptions

You may also want to consider addressing common misconceptions among merchants within your portfolio.

What support you should get from a PCI compliance solutions provider:

Acquirer support

  • Programs tailored to achieve your PCI program goals
  • Training for all merchant-facing employees
  • Tools to measure portfolio risk and merchant progress
  • Comprehensive merchant outreach programs

Merchant support

  • Educational resources to help merchants learn about the PCI DSS requirements and initiate the process
  • Tools to complete the SAQ and scans for merchants that require them
  • Access to real support people to assist merchants through the compliance process

Stick or carrot?

In addition to understanding the types of businesses in your portfolio, PCI education will also depend on where merchants are in the process. Have they begun work on PCI compliance yet? Has their PCI compliance expired? Is it time for revalidation?

It will also be important to know whether your merchants are moving quickly through the process or have stalled at a certain step. In some cases, creating an incentive, such as a rebate or no fee for the first year, will incent merchants to progress through the PCI compliance process.

In other cases, it may be necessary to drive activity through fees for noncompliance or, in extreme cases where major risk is posed, suspend or even stop processing their transactions. These penalties should be carefully applied and only enacted after a reasonable timeframe has been allotted for them to complete the PCI compliance process.

Develop an outreach program

Now that you better understand the businesses in your portfolio, their level of PCI compliance understanding and what motivates them to action, you are better prepared to communicate with your merchants using the appropriate tone, type and frequency. Personalization at this level leads to both consistent merchant engagement and increased compliance rates.

PCI DSS 2.0 compliance

On Jan. 1, 2011, the latest version of the PCI DSS 2.0 went into effect. The revisions, which modify the Self-Assessment Questionnaires (SAQs), call for discontinuance of the existing PCI DSS version and SAQ forms by Dec. 31, 2011.

The PCI DSS 2.0 is another opportunity for you to engage merchants in active PCI education, provide valuable security information that strengthens the relationship and increase compliance rates throughout the portfolio. Use this information and leverage your PCI compliance solutions provider to build a strong and consistent communication and compliance plan.

Heather V. Foster is Vice President of Marketing for Atlanta-based ControlScan Inc., a provider of PCI compliance solutions that fit the specific needs of small to mid-sized merchants. She also serves on the Education Committee of the Electronic Transactions Association and can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios