By Heather Foster
At this point, anyone reading this article is familiar with the Payment Card Industry (PCI) Data Security Standard (DSS) and the Dec. 31, 2011, deadline for PCI DSS 2.0 compliance. While you may understand the above deadline is only seven months away, you may be concerned about the progress being made by your Level 4 merchants toward compliance and at the overall compliance rates in your portfolios.
In an October 2010 research report by ControlScan Inc. and Merchant Warehouse entitled Diversity Reigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, a glimpse is given into how small and mid-sized merchants perceive data security and the steps they take to protect sensitive information.
When asked about their familiarity with PCI DSS, a majority of micro-merchants (businesses that employ fewer than 10 employees and rarely process more than 250,000 credit card transactions annually) were either "unsure" of the standard or "not at all familiar with it." The remaining micro-merchants were familiar with the guidelines to some degree, but only 16 percent were "very familiar with the standard."
Unfortunately, an ISO's exposure to PCI and understanding the importance of the PCI DSS may not be mirrored by its portfolio of small merchants. The survey points to the need for ISOs and acquirers to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security postures.
This article will explore how ISOs can take the information they are absorbing and use it as a means to drive merchant engagement, increase compliance rates and, ultimately, reduce risk for you and your merchants.
Most small to mid-sized merchants are unsure of where to begin the PCI compliance process and can become overwhelmed quickly. Unlike larger merchants faced with PCI issues every day due to monthly or even weekly transaction volumes surpassing 250,000, Level 4 merchants, especially micro-merchants, need more context setting at the start. They should be educated on the fundamentals of PCI compliance, why they are required to comply with it and how it benefits their businesses.
However, sending the same messages or correspondence to all of your merchants, regardless of size and type, is not an effective approach to PCI compliance education. Instead, leverage your PCI compliance solutions provider to segment the types of businesses in your portfolio. From there, you can evaluate their risk levels and better tailor PCI education to increase the likelihood of action. Below are common characteristics, which can be the starting point for portfolio segmentation.
Segmentation can also be based on the industry in which merchants operate (such as retail, hospitality, health care or service sectors) and method of processing (such as POS, terminal or shopping cart).
You may also want to consider addressing common misconceptions among merchants within your portfolio.
In addition to understanding the types of businesses in your portfolio, PCI education will also depend on where merchants are in the process. Have they begun work on PCI compliance yet? Has their PCI compliance expired? Is it time for revalidation?
It will also be important to know whether your merchants are moving quickly through the process or have stalled at a certain step. In some cases, creating an incentive, such as a rebate or no fee for the first year, will incent merchants to progress through the PCI compliance process.
In other cases, it may be necessary to drive activity through fees for noncompliance or, in extreme cases where major risk is posed, suspend or even stop processing their transactions. These penalties should be carefully applied and only enacted after a reasonable timeframe has been allotted for them to complete the PCI compliance process.
Now that you better understand the businesses in your portfolio, their level of PCI compliance understanding and what motivates them to action, you are better prepared to communicate with your merchants using the appropriate tone, type and frequency. Personalization at this level leads to both consistent merchant engagement and increased compliance rates.
Next, engage merchants through a combination of statement messages, direct mail and email about how to start the PCI compliance process and why it is helpful to their businesses. Email is the easiest and most cost effective form of communication. But since acquirers often do not have email addresses for their merchants, other communication methods should be used. Direct mail, statement inserts and even statement messages represent other alternatives.
On Jan. 1, 2011, the latest version of the PCI DSS 2.0 went into effect. The revisions, which modify the Self-Assessment Questionnaires (SAQs), call for discontinuance of the existing PCI DSS version and SAQ forms by Dec. 31, 2011.
The PCI DSS 2.0 is another opportunity for you to engage merchants in active PCI education, provide valuable security information that strengthens the relationship and increase compliance rates throughout the portfolio. Use this information and leverage your PCI compliance solutions provider to build a strong and consistent communication and compliance plan.
Heather V. Foster is Vice President of Marketing for Atlanta-based ControlScan Inc., a provider of PCI compliance solutions that fit the specific needs of small to mid-sized merchants. She also serves on the Education Committee of the Electronic Transactions Association and can be reached at email@example.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next