The Green Sheet Online Edition
September 09, 2013 • Issue 13:09:01
Seven tips for a successful mass PCI compliance program: Part 2
In "Seven tips for a successful mass PCI compliance program: Part 1," The Green Sheet, Aug. 12, 2013, issue 13:08:01, I suggested that choosing a Payment Card Industry (PCI) Data Security Standard (DSS) partner that fits your organization was key to a successful rollout. I also outlined my list of most important vendor criteria and defined vital points that helped prepare for mass compliance, such as gaining corporate commitment and accepting stewardship over your merchants.
Now I'd like to explain what I found to be the two most important steps during a mass compliance rollout: setting goals and constant merchant communication.
Tip 3: Stick to your (realistic) goals
Ensure your goals are realistic in terms of the amount of time it takes your portfolio to engage or become compliant. I learned this concept the hard way. Because I was new to the PCI DSS and didn't understand the complexity of merchant struggles to meet difficult standards, I shot for an outrageously high compliance goal (98 percent) in a very short period of time.
My overly ambitious goal turned my life into a living hell. Because I took responsibility to stay in personal contact with all my merchants, workdays lasted 12 to 14 hours, and the work week lasted seven. Every phone call was on constant replay in my head. It felt as if I were banging my head against a wall. But I knew we were doing the right thing.
Prepare for many merchant questions
One of the biggest roadblocks on our initial compliance path was merchant confusion. Many merchants didn't read the initial PCI communications and called FirstMerit for clarification. I didn't expect so many merchant questions. I soon learned to instruct my staff to transfer merchant phone calls regarding our PCI compliance program to our vendor, SecurityMetrics. I also made sure the company clearly introduced its role as a third-party vendor in various forms of merchant communication.
Don't give up
Be ready for a test of your determination. It will be tested during client calls, in the sales process and during internal debates. It will be tested to see if your policy, belief system or commitment is the same as it was originally. Your program will be challenged to see if you believe in what you are doing. My SecurityMetrics account manager reminded me that excessive communication was a good thing. If merchants were asking questions, they were learning about the importance of security, and the more likely they were to engage and complete PCI compliance.
Every day I explained the standards, clarified the role of our vendor and illuminated the ways sensitive data must be protected. I listened while merchants explained their data practices, and I cringed at the irresponsible things they did with sensitive data. Three years into the program, despite all the elbow grease applied, we were stuck at 50 percent compliance.
Stick to your guns
It was at this juncture we easily could have bowed out. We could have yielded at the slightest client push back like many others in the payments space. This is not who we are or who I am. Why would we go backward? We had maintained 98 percent enrollment/engagement, but our stagnant compliance number gave me the opportunity to re-strategize. Staffing adjustments were made, internal resources were reallocated, and SecurityMetrics changed its communication efforts.
We understood it was wrong to hold merchants responsible for security mistakes they didn't understand, so it was decided we would charge a noncompliance fee only after diligent communications were performed. We then began the communications, calls, statement messages and emails informing merchants that October 2010 was the date we required compliance or a fee per merchant ID would be assessed.
Don't worry about attrition
In the first year of our compliance efforts there was a negligible amount of attrition, and since then an insignificant number of merchants have left because of PCI compliance. I can attribute the lack of attrition to a few reasons: the teamwork of both our vendor and bank employees, and a heightened awareness of large-scale data breaches. Attrition is part of the nature of the payment space, but I can certainly attest that PCI was not a motivating factor for our merchants.
Tip 4: Constant merchant communications
Solid merchant communication is another not-so-classified secret of PCI program success. From the beginning, I believed that if merchants didn't understand a question or felt overwhelmed with the requirements, they should have access to a call center with friendly consultants who walk them through any challenges they face. That's another reason to select a vendor that offers strong merchant support, preferably one whose center is open for 24 hours a day so merchants can call and have their questions answered and problems resolved.
Lather, rinse, repeat
One thing I've learned in my 10 years in the world of PCI compliance; once is not enough. Along with our vendor, we spent considerable time and money providing training, mail campaigns and other means to train and motivate our merchants, yet we still had calls from merchants asking questions we'd answered a million times before.
The only way to combat this was multiple forms of communication and technology. Email was a great start but was then supplemented with fax, specific online PCI information, mailings, webinars and supplementary videos. Accompanying online materials made it easier for merchants to see the necessity of PCI and allowed them to keep up with data security outside of the PCI realm.
Importance of education
Many merchants balked at our PCI initiative. Their objections ranged from cost to discomfort with new technology. Through numerous communications, I made sure to reference how FirstMerit was simplifying the compliance process, the immense value of PCI compliance in thwarting security breaches and the risk of card data theft to their business. For my merchants with cost concerns and fee sensitivity, I provided a list of what they received for their money.
Coming up in "Seven tips for a successful mass PCI compliance program: Part 3" will be my thoughts on PCI program fees, program maintenance and never giving up.
Michelle Thompson is Vice President, Merchant Fraud/Risk Officer at FirstMerit Bank. She manages both the PCI program and Risk Mitigation for FirstMerit Acquiring. She can be reached at or 330-849-8937.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.