GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

What's changed, what's stayed the same since 2003?


Industry Update

Infographic counters MPC 'swipe fee' claims

New cyber threat targets SMBs

Reservations about EMV security, timeline surface

Vatican looks outside EU for card solution


Debit in 2013: Life after Durbin

Ryan Feeley
First Annapolis Consulting

Are you ready to put your clients first?

Research Rundown

Mobile payments global forecast

The CBO's outlook through 2023

Striking that communication balance

Selling Prepaid

Prepaid in brief

TSYS to don program manager mantle

Synergy between ATMs, prepaid established


Payment alternatives, like microbrews, are good

Brandes Elitch
CrossCheck Inc.


Street SmartsSM:
Are leave behinds integral to the sales process?

Jeff Fortney
Clearent LLC

15 tips to boost merchant level sales

Peggy Bekavac Olson
Strategic Marketing

PCI programs: From spring cleaning to a full remodel

Chris Taylor

Should ISOs have an AML policy?

Adam Atlas
Attorney at Law

Company Profile

ABTEK Financial

New Products

Reshaping the restaurant POS

Benseron Information Technologies Inc.

Customer authentication in 30 seconds

Netverify Mobile
Jumio Inc.


Navigating the tradeshow circuit


Readers Speak

2013 events calendar

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

March 11, 2013  •  Issue 13:03:01

previous next

PCI programs: From spring cleaning to a full remodel

By Chris Taylor

With the end of winter comes the annual household spring cleaning ritual. I love remodeling, and each spring I find myself searching online for inexpensive ways to renovate my older house.

Like my annual domestic updating ritual, remodeling a Payment Card Industry (PCI) data, device and application security program is a fantastic way to develop a renewed vigor for security. Perhaps your program is dated, like my white electric stove, and doesn't meet current needs. Maybe your organization is too mature for your current program, like a family outgrowing a starter home. Or maybe your current PCI program isn't achieving your original compliance goals.

Whatever the justification, five main concerns should prompt you to consider remodeling your PCI program. Remember, some program aspects may require only minor changes, similar to spring cleaning, and other aspects may require a bit more work to remodel.

1. Last year's risky merchants may not be the same as this year's

At some point during your current security program, you may have segmented your portfolio by risk. Unless it was scoped in the last few months, you may be focusing on merchants previously identified as risk-prone, but who aren't considered risky today, and vice versa.

To assist with merchant segmentation, risk-profiling tools like card data discovery software can forecast which portfolio members are more likely to suffer data breaches. Prior to a recent audit, a department store manager was positive his systems stored no payment card data, because he had passed a security audit the previous year.

However, he wasn't aware that a member of his information technology staff had inadvertently made a change in the middle of the year that resulted in the company network storing 50,000 unencrypted credit card numbers. Vulnerable data such as this can be found with the right tools; without them, an ISO or payment processor would have difficulty identifying a merchant's risk level.

Remodeling your PCI program allows you to focus initial efforts on high-risk merchants. Your vendor can assist in formulating merchant profiling questions for risk assessment. Questions to elicit relevant information include:

2. Promoting PCI as a differentiator can increase your portfolio

When real estate agents show a run-down house, they tend to discuss overall potential instead of dwelling on negative features. They typically ask buyers to consider how inexpensive remodeling would dramatically increase the interior aesthetics and market value. Because of the PCI Data Security Standard's (PCI DSS's) unfortunate negative connotation in the industry, many ISOs and payment processors perceive it as an obligation, hassle or millstone. Regrettably, that thought pattern rubs off on merchants.

Most acquirers and ISOs don't consider using their PCI compliance programs as a major merchant benefit, relegating them instead to contractual fine print. The issue of PCI compliance isn't unique. But if you begin promoting PCI as an asset, your program will automatically contain something your competition doesn't have: an undeniable commitment to merchant security.

If merchants balk at extra security fees, be prepared to educate them on how PCI compliance addresses major business security problems and alleviates the pain of credit card compromise. If your business proposition adds PCI as its differentiator, your organization will scream, "Your security is our priority!" And you will be heard above the noise of the competition.

3. New technologies make compliance easier

In household remodeling, the efficiency advantages of an updated kitchen are obvious. However, many processors shirk upgrading some of the less visible aspects of their PCI programs, in particular the behind-the-scenes technology that makes compliance easier for both program managers and merchants.

For acquirers and ISOs, new program-management tools equal better reporting and fully automated communications, which require less time, money and personnel to manage. For merchants, new technologies make compliance more efficient and improve security through threat monitoring and prevention.

4. Being proactive keeps you ahead

In a condo I used to own, I made the mistake of ignoring a slow leak in the ceiling. After winter, the ceiling insulation and drywall had to entirely be replaced, which wasn't cheap.

Because portfolios, technology and business goals change over time, important portfolio security features may become lost in the chaos. The point of the PCI DSS is to stay three steps ahead of hackers and five steps ahead of your own financial liability if one of your merchants experiences a security failure. Today's attackers are patient and tenacious, and they exploit merchant vulnerabilities with practiced ease.

To keep PCI compliance in the forefront of a merchant's to-do list, it must be proactively and consistently pushed. Did you know that your portfolio is only as valuable as your overall merchant compliance level? Michael Campbell, a Senior Associate at The Strawhecker Group who focuses on acquiring and issuing risk, said noncompliance is financially unhealthy.

"A PCI-compliant merchant portfolio has enhanced value when an acquirer or ISO puts it on the market, and [it] is favorably considered by prospective buyers," he said. "When a merchant portfolio ... has low PCI compliance rates, the attractiveness of acquisition diminishes." Many acquirers and ISOs are apathetic regarding the overall compliance status of their portfolio, and they accept the status quo. Yet, security is a living, breathing organism, and a merchant's passing compliance report is merely a dated snapshot. Staying up to date with a PCI security program is necessary to minimize risk and increase portfolio value.

5. Give your merchants the value they deserve, or they'll leave

Your merchants are the VIPs of your organization. By implementing the most up-to-date program possible, you'll share in their success for years to come. By cutting corners or engaging a PCI vendor that's nothing more than a billing service and a self-serve website, you'll spend twice the resources to cover program weaknesses. If you pay homeowners' association fees, don't you expect nicely trimmed landscaping, a maintained pool or regular snow removal? When merchants are charged, they expect additional value.

Payment processors should plan on merchant attrition if programs remain outdated while merchants are charged the same noncompliance or PCI fees year after year. Companies that provide additional security value to merchants will build enduring customer loyalty and more confidence in the payment card processing chain.

Chris Taylor is Manager of Channel Marketing for SecurityMetrics and can be reached via email at Find more details on remodeling your PCI program at or by calling 801-995-6869.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios