The Green Sheet Online Edition
October 14, 2013 • Issue 13:10:01
Seven tips for a successful mass PCI compliance program: Part 3
In the previous articles in this series about developing a successful Payment Card Industry (PCI) Data Security Standard (DSS) compliance program for your portfolio, I discussed the importance of goal making, finding a partner that fits and constant merchant communications.
The final article in this series contains guidelines for program maintenance, including my thoughts on PCI fees, compliance renewals and never giving up.
Tip 5: Straightforward fees
It's difficult to see the line between leading and pushing your merchants to embrace your PCI program. I knew busy business owners would not address data security if faced with choosing between managing their businesses and doing what the bank requested. So, FirstMerit decided to begin imposing a financial penalty on noncompliant merchants in October 2010. The objective was to persuade, not punish. I didn't want a fee, but I did want momentum toward compliance.
With just the threat of a noncompliance fee nipping at my merchants' heels, the compliance surge began. We catapulted from 50 percent compliance to 80 percent in just three months. One thing I made sure of was that our fees were structured in a way that made it simple for merchants to understand how fees were tied to the benefits of PCI compliance, and how they could avoid the fees on their next bill.
Decide how you really feel about fees
Though I felt, and still feel, that noncompliance fees are dirty, as I increased noncompliance fees, more merchants were persuaded to come into compliance.
FirstMerit truly didn't want the income garnered from noncompliance fees and much preferred compliance. It was with this mentality that we won countless merchants' business. In our experience, merchants' initial question when searching for an acquiring partner was, "What are you doing with PCI compliance?"
They realized many of our peers had PCI programs, but didn't actively help clients with PCI or even enforce security. Because of our excellent educational PCI program, FirstMerit became the merchant "go to" source for guidance on PCI.
Merchants want help with PCI, and their current providers often don't assist them. I cannot possibly summarize the number of client-prospect meetings I have attended where information technology managers or business owners explained how they handled card data and asked for help. Because we have taken the time to sit down with clients to hear what their concerns are and bring in our expert partners, we have acquired 99 percent of this prospect business.
Tip 6: Diligent program maintenance
I knew from the beginning that PCI would require ongoing vigilance to keep our program running smoothly, even after initial planning. Because adherence to PCI standards must be validated annually and monitored to defend against new security threats, it takes effort to ensure our merchants will stay on course year after year.
Manage yearly renewals
Of all the major concerns surrounding our program, renewals made the top of my list. It was crucial to me that PCI compliance validation be repeated annually because many variables in the merchant environment can affect a pass or fail mark.
Our PCI vendor sent reminders about quarterly vulnerability scans and alerted merchants when scans failed. Alerts were also sent 30 to 60 days before yearly PCI service agreements expired.
Accurate admin tools
Because compliance goals were so important to me, I needed a way to monitor progress and determine where we fell short. Our vendor provided an online console that included detailed real-time information on overall campaign performance, including bar graphs and pie charts that showed (among other things) full compliance histories, how many merchants' contact information was verified, total accounts contacted via email and total merchant PCI engagement.
I logged into the online dashboard and analyzed my merchants' progress at least four to five times a week. When I wasn't satisfied with our progress, I brought it up in regular phone calls with my vendor's account manager.
Our vendor also promised to keep FirstMerit updated on our merchants' PCI participation and compliance status through weekly and monthly feeds, as long as we informed the vendor each time our portfolio changed (new merchants, cancelled accounts, changed merchant IDs, for example).
Compliance renewals can be a challenge. It is common for merchants to integrate different solutions into their environments during the course of a year and, although they may know about PCI, they don't always use compliant third parties.
Tip 7: Commitment to program, company and self
If I had one wish regarding data security, my wish would be that everyone in the payments industry would care enough to do the right thing. Acquirers should stop relying on insurance and noncompliance fees and begin PCI compliance programs to protect merchants and the entire payments industry.
Acquirers should stop circumventing requirements through down-scoping, and merchants should take PCI seriously as a protection for their businesses.
Before our PCI program really took off, a business owner asked me how I slept at night. I answered him with, "Honestly, for the first year, I didn't." I recalled how, during that time, I couldn't bear the thought of a merchant caught in a data breach when the individual had no idea about compliance. I couldn't bear the thought of charging a noncompliance fee to those poor business owners just trying to make a living.
I then told the business owner, "Now, however, I can sleep. FirstMerit has done everything we can. We've tried, failed and succeeded. We've educated, communicated and prospered. My merchants can't say we didn't educate them about security and try to assist in every way possible."
I am proud of my organization and my team, and pleased to be rooted with a PCI compliance vendor that cares about data security as much as we do. We have an excellent partnership with our clients and our vendor, as well as support from senior management.
Even though I consider our PCI program a success, I haven't abandoned my original compliance goal of 98 percent. We haven't given up on data security, and you shouldn't either because successful portfolio compliance isn't a myth. We're proof of that.
Michelle Thompson is Vice President, Merchant Fraud/Risk Officer at FirstMerit Bank. She manages both the PCI program and Risk Mitigation for FirstMerit Acquiring. She can be reached at firstname.lastname@example.org or 330-849-8937.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.