The Green Sheet Online Edition
August 12, 2013 • Issue 13:08:01
Seven tips for a successful mass PCI compliance program: Part 1
Many acquiring banks think full merchant Payment Card Industry (PCI) Data Security Standard (DSS) compliance is a myth. It has been said by more than one merchant processor, "I'll never get my whole portfolio compliant."
Yes, compliance rates above 80 percent are nearly unheard of, but certainly not as impossible as the industry may believe. Immediately after launching a PCI compliance program, FirstMerit achieved over 95 percent portfolio engagement. In October 2010, FirstMerit achieved an 84 percent client compliance validation rate and has maintained the rate since.
I would like to share FirstMerit's compliance journey and highlight a few key points inside our strategy that helped guide more than 85 percent of our portfolio to compliance. I'm not promising that running a successful PCI compliance program will be easy, but acquiring banks and ISOs can definitely ease the burden through implementation of the right program.
If your institution or organization has struggled with a compliance program in the past, I encourage you to search this article for ways to improve or begin your own successful program.
Tip 1: Take responsibility
I have been consumed by fraud since 2003. It was in 2003 that I was introduced to data compromise and fraud while managing FirstMerit Bankcard Issuing Fraud Investigations. My second day on the job, the team discussed the sheer volume of fraud and bank losses. I determinedly asked what we could do to combat the problem. "There's nothing we can do" was the knee-jerk response from everyone in the room. I couldn't accept that answer.
My fraud background
It was the notion that I was expected to accept defeat without fighting back that motivated me to reduce the amount of fraud losses impacting my cardholder portfolio.
After six months of self-tutorial, the opportunity to better manage our fraud monitoring strategies began to unfold. Little by little, the bank began to realize the benefits of managing losses with strategies. Having witnessed the financial and emotional impact on merchants who experienced data breaches, data breach prevention became my core-motivating factor. Unfortunately, I was on the wrong side of the payment space to impact or prevent data compromises.
Don't let your 'PCI vehicle' rust
There was something I could do about the current security situation. I could manage the system already in place. I already had the vehicle; I just needed to drive it. This analogy works for merchants as well. A vehicle (PCI) already exists; it just needs to be driven.
Yes, running a successful PCI DSS compliance program can be daunting. Most merchants today presumably understand the need to prevent the theft of credit card data, but many may not understand or have the patience for taking steps required to meet all PCI requirements. That's where you come in. There is a tremendous value in security, but most don't see the value until after they need it. As their caretaker, partner and acquirer, your job is to do something about that.
Your organization most likely has a PCI vehicle, but it may be a little rusty. All you need to do is give it a jump-start, take the wheel and start driving. You have control, and you have a solemn responsibility to your merchants.
Tip 2: Find a partner that fits
In 2006, I left FirstMerit Fraud Investigations and joined the FirstMerit Acquiring team. As an acquirer, our mission is to acquire processing accounts, service our existing accounts and protect our clients. In short, my mission was to reduce data breaches. How was I supposed to accomplish my mission alone? The answer was - I couldn't.
I read the Operating Regulations for each card brand and learned for the first time about the PCI DSS. However, figuring out how to enforce it was a daunting task. Obtaining a corporate understanding is the most critical component to a successful program. Otherwise, one angry merchant or irate commercial lender could deter senior management from staying committed.
Armed with the Operating Regulations and the PCI DSS, I asked senior management for their commitment. During our discussion, there were moments of unease as this "change" was introduced. There were discussions concerning fears of attrition and heated internal exchanges as we worked toward our commitment.
Fortunately, senior management conceded. At the end of the day, requiring merchants to comply with the PCI DSS was the right thing to do. Our clients are extremely valued, and we are not an institution that would feel proud to identify a compromised merchant if we had not diligently tried to explain the importance of security. Now, I had to find a partner that shared my commitment to merchant security.
Test the waters
I identified the nation's top PCI-compliance vendors. During the extensive interview process, I was intimidated and overwhelmed. There were numerous issues to consider: breaches, fines, client impact, lack of PCI understanding and attrition.
I knew this would require a little elbow grease. I reached out to a few of my peers to inquire how they managed their programs. I was extremely disheartened to learn they were not following PCI standards. One said, "It is never going to work. Merchants won't do it." His comment merely added fuel to my merchant security fire. The lack of momentum surrounding the engagement of PCI DSS was not going to change FirstMerit's position.
Your partner is the key
Retrospectively, I see the second critical aspect of our PCI compliance program's success was choosing the right partner. I wanted a trusted associate that would work as a partner, not as an outsourced third party that collected payment every month. I wanted my partner to carefully encourage my merchants toward ultimate data protection without causing attrition.
I wanted FirstMerit's partner to ensure my merchants not only engaged in PCI, but also followed through to compliance. Know what's most important to you, and be picky.
Because of my commitment to merchant security, I was very particular with my vendor criteria. I've included a short list of ideal attributes I required my future PCI partner to have.
- Success in obtaining results
- Strong communication process with FirstMerit and merchants
- Customizable communication programs
- Strong merchant customer service (polite, friendly, resolve issues quickly)
- Commitment to avoiding merchant attrition at all costs
- Accessible customer support
- Easy conflict resolution
- Accurate, easy-to-use, customizable tracking and reporting tools
- Effective online enrollment
Start rolling out your plan
I found such a partner in SecurityMetrics, an expert that specializes in helping merchants achieve PCI compliance. We immediately got to work. During our plan's rollout, I made sure the SecurityMetrics team clearly understood their responsibilities, and they made sure I understood mine. I got to know the company's systems, support staff and communication process so I could get a feel for how our merchants would react. I haven't been disappointed.
Stay tuned for "Seven tips for a successful mass PCI compliance program: Part 2" for more guidelines on jump-starting your own effective mass compliance program.
Michelle Thompson is Vice President, Merchant Fraud/Risk Officer at FirstMerit Bank. She manages both the PCI program and Risk Mitigation for FirstMerit Acquiring. She can be reached at firstname.lastname@example.org or 330-849-8937.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.