GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

How to keep tabs on reps, merchants - Part 1

News

Industry Update

PCI compliance gets easier with SmartSAQ

New age of cross-channel prospecting

Bitcoin Foundation opens dialogue with Fed

Payments industry Inc. 500/5000 winners

Features

Getting up to speed on mobile payments

Selling Prepaid

Prepaid in brief

Green Dot goes glam

Views

Brand value and full disclosure

Brandes Elitch
CrossCheck Inc.

Education

Street SmartsSM:
Let's talk price

Dale S. Laszig
Castles Technology Co. Ltd.

Seven tips for a successful mass PCI compliance program: Part 2

Michelle Thompson
FirstMerit Bank NA

Marketing with video

Nancy Drexler
Acquired Marketing

Maximizing loyalty program ROI

Michael Gavin
Merchant Warehouse

Company Profile

Regal Payment Systems LLC

The Merchant Solutions

New Products

Smart solution for unattended fuel pumps

SmartSight
www.comdata.com

Mobile minus the dongle

Flint+ supported by Fidano
Flint Mobile Inc.

Inspiration

Spring into action before the holidays

Departments

Readers Speak

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

September 09, 2013  •  Issue 13:09:01

previous next

Seven tips for a successful mass PCI compliance program: Part 2

By Michelle Thompson

In "Seven tips for a successful mass PCI compliance program: Part 1," The Green Sheet, Aug. 12, 2013, issue 13:08:01, I suggested that choosing a Payment Card Industry (PCI) Data Security Standard (DSS) partner that fits your organization was key to a successful rollout. I also outlined my list of most important vendor criteria and defined vital points that helped prepare for mass compliance, such as gaining corporate commitment and accepting stewardship over your merchants.

Now I'd like to explain what I found to be the two most important steps during a mass compliance rollout: setting goals and constant merchant communication.

Tip 3: Stick to your (realistic) goals

Ensure your goals are realistic in terms of the amount of time it takes your portfolio to engage or become compliant. I learned this concept the hard way. Because I was new to the PCI DSS and didn't understand the complexity of merchant struggles to meet difficult standards, I shot for an outrageously high compliance goal (98 percent) in a very short period of time.

My overly ambitious goal turned my life into a living hell. Because I took responsibility to stay in personal contact with all my merchants, workdays lasted 12 to 14 hours, and the work week lasted seven. Every phone call was on constant replay in my head. It felt as if I were banging my head against a wall. But I knew we were doing the right thing.

Prepare for many merchant questions

One of the biggest roadblocks on our initial compliance path was merchant confusion. Many merchants didn't read the initial PCI communications and called FirstMerit for clarification. I didn't expect so many merchant questions. I soon learned to instruct my staff to transfer merchant phone calls regarding our PCI compliance program to our vendor, SecurityMetrics. I also made sure the company clearly introduced its role as a third-party vendor in various forms of merchant communication.

Don't give up

Be ready for a test of your determination. It will be tested during client calls, in the sales process and during internal debates. It will be tested to see if your policy, belief system or commitment is the same as it was originally. Your program will be challenged to see if you believe in what you are doing. My SecurityMetrics account manager reminded me that excessive communication was a good thing. If merchants were asking questions, they were learning about the importance of security, and the more likely they were to engage and complete PCI compliance.

Every day I explained the standards, clarified the role of our vendor and illuminated the ways sensitive data must be protected. I listened while merchants explained their data practices, and I cringed at the irresponsible things they did with sensitive data. Three years into the program, despite all the elbow grease applied, we were stuck at 50 percent compliance.

Stick to your guns

It was at this juncture we easily could have bowed out. We could have yielded at the slightest client push back like many others in the payments space. This is not who we are or who I am. Why would we go backward? We had maintained 98 percent enrollment/engagement, but our stagnant compliance number gave me the opportunity to re-strategize. Staffing adjustments were made, internal resources were reallocated, and SecurityMetrics changed its communication efforts.

We understood it was wrong to hold merchants responsible for security mistakes they didn't understand, so it was decided we would charge a noncompliance fee only after diligent communications were performed. We then began the communications, calls, statement messages and emails informing merchants that October 2010 was the date we required compliance or a fee per merchant ID would be assessed.

Don't worry about attrition

In the first year of our compliance efforts there was a negligible amount of attrition, and since then an insignificant number of merchants have left because of PCI compliance. I can attribute the lack of attrition to a few reasons: the teamwork of both our vendor and bank employees, and a heightened awareness of large-scale data breaches. Attrition is part of the nature of the payment space, but I can certainly attest that PCI was not a motivating factor for our merchants.

Tip 4: Constant merchant communications

Solid merchant communication is another not-so-classified secret of PCI program success. From the beginning, I believed that if merchants didn't understand a question or felt overwhelmed with the requirements, they should have access to a call center with friendly consultants who walk them through any challenges they face. That's another reason to select a vendor that offers strong merchant support, preferably one whose center is open for 24 hours a day so merchants can call and have their questions answered and problems resolved.

Lather, rinse, repeat

One thing I've learned in my 10 years in the world of PCI compliance; once is not enough. Along with our vendor, we spent considerable time and money providing training, mail campaigns and other means to train and motivate our merchants, yet we still had calls from merchants asking questions we'd answered a million times before.

The only way to combat this was multiple forms of communication and technology. Email was a great start but was then supplemented with fax, specific online PCI information, mailings, webinars and supplementary videos. Accompanying online materials made it easier for merchants to see the necessity of PCI and allowed them to keep up with data security outside of the PCI realm.

Importance of education

Many merchants balked at our PCI initiative. Their objections ranged from cost to discomfort with new technology. Through numerous communications, I made sure to reference how FirstMerit was simplifying the compliance process, the immense value of PCI compliance in thwarting security breaches and the risk of card data theft to their business. For my merchants with cost concerns and fee sensitivity, I provided a list of what they received for their money.

Coming up in "Seven tips for a successful mass PCI compliance program: Part 3" will be my thoughts on PCI program fees, program maintenance and never giving up.

Michelle Thompson is Vice President, Merchant Fraud/Risk Officer at FirstMerit Bank. She manages both the PCI program and Risk Mitigation for FirstMerit Acquiring. She can be reached at or 330-849-8937.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems