The Green Sheet Online Edition
May 23, 2011 • Issue 11:05:02
Raising the bar on PCI compliance
At this point, anyone reading this article is familiar with the Payment Card Industry (PCI) Data Security Standard (DSS) and the Dec. 31, 2011, deadline for PCI DSS 2.0 compliance. While you may understand the above deadline is only seven months away, you may be concerned about the progress being made by your Level 4 merchants toward compliance and at the overall compliance rates in your portfolios.
How a Level 4 merchant can become PCI compliant
- Identify merchant validation type.
- Complete the Self-Assessment Questionnaire (SAQ) version appropriate for the merchant's business.
- Complete the relevant Attestation of Compliance in it is entirety.
- For merchants who require vulnerability scanning, complete and obtain evidence of a passing scan from an Approved Scanning Vendor.
- Submit validation documentation to ISO/acquirer as required (To maintain compliance, revalidate the SAQ every year, and do a scan every quarter.)
In an October 2010 research report by ControlScan Inc. and Merchant Warehouse entitled Diversity Reigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, a glimpse is given into how small and mid-sized merchants perceive data security and the steps they take to protect sensitive information.
When asked about their familiarity with PCI DSS, a majority of micro-merchants (businesses that employ fewer than 10 employees and rarely process more than 250,000 credit card transactions annually) were either "unsure" of the standard or "not at all familiar with it." The remaining micro-merchants were familiar with the guidelines to some degree, but only 16 percent were "very familiar with the standard."
Unfortunately, an ISO's exposure to PCI and understanding the importance of the PCI DSS may not be mirrored by its portfolio of small merchants. The survey points to the need for ISOs and acquirers to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security postures.
This article will explore how ISOs can take the information they are absorbing and use it as a means to drive merchant engagement, increase compliance rates and, ultimately, reduce risk for you and your merchants.
Set the context for compliance
Most small to mid-sized merchants are unsure of where to begin the PCI compliance process and can become overwhelmed quickly. Unlike larger merchants faced with PCI issues every day due to monthly or even weekly transaction volumes surpassing 250,000, Level 4 merchants, especially micro-merchants, need more context setting at the start. They should be educated on the fundamentals of PCI compliance, why they are required to comply with it and how it benefits their businesses.
However, sending the same messages or correspondence to all of your merchants, regardless of size and type, is not an effective approach to PCI compliance education. Instead, leverage your PCI compliance solutions provider to segment the types of businesses in your portfolio. From there, you can evaluate their risk levels and better tailor PCI education to increase the likelihood of action. Below are common characteristics, which can be the starting point for portfolio segmentation.
- Low volume, high risk: Micro-merchants think their lower transaction values and volumes make them less attractive to hackers and, therefore, less susceptible to data breaches. According to Visa Inc.'s Data Security Best Practices for Small Businesses presentation, 85 percent of all compromises occur at Level 4 merchant locations, which include low-volume merchants viewed as easy targets by hackers.
- E-commerce versus traditional merchants: Level 4 e-commerce merchants, however, seem to get it. For online retailers, data security was a much higher priority than for brick-and-mortar merchants (61 percent versus 41 percent). Sixty percent of online retailers said they were familiar with the PCI DSS compared to 37 percent for traditional retailers. This heightened interest on the part of online merchants is likely attributable to the greater perceived risk of card-not-present environments to fraud.
Segmentation can also be based on the industry in which merchants operate (such as retail, hospitality, health care or service sectors) and method of processing (such as POS, terminal or shopping cart).
You may also want to consider addressing common misconceptions among merchants within your portfolio.
- Internal breaches: One mistaken belief among small merchants is that attacks only occur from the outside. In many cases, compromises originate from within their places of business. Failure to perform background checks on new hires, or to educate employees on how to properly safeguard cardholder data, can lead to breach events.
- Once compliant, always compliant: While some merchants see value in PCI compliance, most may not be dutifully integrating the security requirements into the fiber of their companies. This is your opportunity to stress the difference between security and compliance. More specifically, compliance is a point-in-time measurement, and the underlying requirements must be adhered to on a daily basis.
- Little to no technical expertise: Few Level 4 merchants have the information technology or security staff available to fully manage the PCI compliance process. The survey stated 54 percent of merchants who had not validated compliance said it was due to not having the resources.
What support you should get from a PCI compliance solutions provider:
- Programs tailored to achieve your PCI program goals
- Training for all merchant-facing employees
- Tools to measure portfolio risk and merchant progress
- Comprehensive merchant outreach programs
- Educational resources to help merchants learn about the PCI DSS requirements and initiate the process
- Tools to complete the SAQ and scans for merchants that require them
- Access to real support people to assist merchants through the compliance process
Stick or carrot?
In addition to understanding the types of businesses in your portfolio, PCI education will also depend on where merchants are in the process. Have they begun work on PCI compliance yet? Has their PCI compliance expired? Is it time for revalidation?
It will also be important to know whether your merchants are moving quickly through the process or have stalled at a certain step. In some cases, creating an incentive, such as a rebate or no fee for the first year, will incent merchants to progress through the PCI compliance process.
In other cases, it may be necessary to drive activity through fees for noncompliance or, in extreme cases where major risk is posed, suspend or even stop processing their transactions. These penalties should be carefully applied and only enacted after a reasonable timeframe has been allotted for them to complete the PCI compliance process.
Develop an outreach program
Now that you better understand the businesses in your portfolio, their level of PCI compliance understanding and what motivates them to action, you are better prepared to communicate with your merchants using the appropriate tone, type and frequency. Personalization at this level leads to both consistent merchant engagement and increased compliance rates.
- Launch: Getting a merchant started down the path of PCI compliance is an ideal time for education and engagement. Point them in the direction of education resources, such as frequently asked questions documents online (see https://www.controlscan.com/support_resources_library.php#qa) or webinars (see https://www.controlscan.com/support_resources_library php#podcasts) conducted by industry experts on the topic of PCI.
Next, engage merchants through a combination of statement messages, direct mail and email about how to start the PCI compliance process and why it is helpful to their businesses. Email is the easiest and most cost effective form of communication. But since acquirers often do not have email addresses for their merchants, other communication methods should be used. Direct mail, statement inserts and even statement messages represent other alternatives.
- Measure milestones: As merchants reach various stages of the compliance process, acknowledge their progress and encourage them to complete the process. The communication that comes from behavioral targeting can be done through direct mail, email and calling campaigns. Merchants will appreciate your recognition and demystification of what to do next and by when.
- Revalidate: Many merchants believe PCI compliance is a one-time process; they need to be educated on the fact that compliance is either a quarterly or annual event. Revalidation is another opportunity to reach out to merchants in your portfolio, while maintaining compliance rates. Again, consider using statement messages, direct mail and email.
- Call merchants: There may come a point when simple education and one-way communications are no longer moving the needle. That is when you will need to consider a targeted outbound calling program. Your PCI compliance solutions provider should be prepared to reach out to your merchants with different and personalized scripts depending on their business and where they are in the process.
PCI DSS 2.0 compliance
On Jan. 1, 2011, the latest version of the PCI DSS 2.0 went into effect. The revisions, which modify the Self-Assessment Questionnaires (SAQs), call for discontinuance of the existing PCI DSS version and SAQ forms by Dec. 31, 2011.
The PCI DSS 2.0 is another opportunity for you to engage merchants in active PCI education, provide valuable security information that strengthens the relationship and increase compliance rates throughout the portfolio. Use this information and leverage your PCI compliance solutions provider to build a strong and consistent communication and compliance plan.
Heather V. Foster is Vice President of Marketing for Atlanta-based ControlScan Inc., a provider of PCI compliance solutions that fit the specific needs of small to mid-sized merchants. She also serves on the Education Committee of the Electronic Transactions Association and can be reached at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.