Watch to learn how PCI Program managers can increase the likelihood of merchant PCI DSS compliance and decrease the risk of a breach.
Having issues accessing the video above? Watch the video here.
Kelly uses the overarching concept of “action,” as it applies to managing a large-scale successful security and compliance program. She reminds attendees of the reality of data breaches: the prevention of which is the primary goal of PCI DSS compliance. If merchants don’t take PCI compliance seriously, they are much more likely to experience a breach–the fallout of which can cause them to close their doors.
Kelly reminds us that we tend to focus on the big news stories: the multi-billion dollar corporations that experience massive breaches, but the reality is that data breaches affect many more SMBs. On average, a data breach costs $35,000: not an amount any business wants to pay. That’s not to mention brand damage and loss of professional relationships.
"What best drives high-PCI Compliance programs?"
Kelly Rodriguez conveys 5 crucial tips for PCI Program managers to increase the likelihood of merchant PCI DSS compliance and decrease the risk of a merchant experiencing a devastating breach.
This webinar was hosted on September 24th, 2020, as part of SecurityMetrics Summit 2020.
Hi, everybody. Welcome to SecurityMetrics Summit twenty twenty. My name is Kelly Rodriguez, and today our topic is the five acquirer tips for PCI program success.
I've been a customer success manager for SecurityMetrics for several years. And over the years, we've learned a lot of tips and tricks and collected data to understand what best drives high PCI compliance programs. So today, we're going to talk about those five different items.
One of the things that we wanna do with the PCI program and when we're talking about these five tips, we're keeping in mind that we're also closing data security and compliance gaps to avoid data breaches.
That's honestly our part of our number one goal with these different items is to avoid a breach from even happening. And PCI compliance is a great tool, not only for PCI compliance, but overall data security.
A lot of PCI compliance is not just a checkboxing exercise. A lot of it is going to be action oriented, making sure that networks are properly segmented or that you're not sending credit card information over email. So this is a great quote. I loved it from Pablo Picasso. It says action is the foundational key to all success, and it's very applicable when we're talking about PCI compliance.
There are five different areas that we're going to be reviewing, communication, goal setting, ongoing education, making PCI easy, and then leveraging your PCI vendor.
We were talking previously about closing, different gaps in compliance or in security to ensure that we do not ever get a breach. Honestly, that should be the driving overreaching goal for most partnerships is to ensure that their merchants do not experience a devastating breach.
Ninety percent of breaches are actually the small merchants.
I think a lot of times when we think about data breaches, we think, oh, it's just gonna be the targets or it's just going to be the fill in the blank huge company corporation here, but that's simply not true. If PCI isn't taken seriously by small merchants, they're much more likely to experience a breach.
And the the the fallout from that is going to be very expensive for the merchants. Lawyer fees, I actually did work in the same company, but at a previous role, I assisted merchants who found out that they were breached in obtaining a forensic investigator to scroll through the process of, making sure that everything is tied up and that they don't experience further credit card information data loss. But the really sad part is on average, it's about thirty five thousand dollars for a breach. For any mom and pop, they may be enough to close their doors. It was really sad in several instances with nonprofit organizations or smaller businesses.
They were forced to close their doors because of the cost that kept going forward for a data breach.
And another awful side effect is if they didn't have to close their doors due to the breach, if customers found out that the business that they were frequenting had a data breach, there is an average of thirty one percent of customers terminating the relationship with the business due to that data breach.
So, really, our our goal should not be just checkboxing exercises. It should be these five different items that we're going to discuss. We don't ever want them to have to get to the breach area.
The first thing we're going to talk about is probably the most important. That's communication.
So we want to let the merchant know about our partnership about the partnership with your PCI vendor, continual email outreach, and making compliance a part of your product.
There are several ways to let the merchant know about your partnership.
You want to ensure that the merchant knows about it when they very first start up with the process so that when they start processing, they know that PCI compliance is also an obligation from the get go.
You do want to include our PCI vendor information.
We have a lot of merchants who maybe don't know who the PCI vendor is and that we're working with their acquirer, call back to the acquirer and say that we're trying to steal their information.
So it's really important that you make that under you help the merchant understand that there's a partnership helping them achieve their PCI compliance goals. And then also a step by step process can be very helpful in ensuring that the merchant will actually follow through and then complete the PCI process.
Regular email campaigns have been proven to be very important in the success of a PCI compliance program.
SecurityMetrics employs three very basic. We do have other campaigns that we'll often do, but three basic campaigns are ones that we really want to focus on. Unenrolled campaigns, currently failing compliance and soon to be expired.
Unenrolled is great. It's making sure that people who have not started that PCI process yet are constantly reminded that they need to get going.
The next one is failing compliance.
A lot of times, merchants think that they've checked the boxes, but maybe they didn't sign the agreement at the end or maybe they just forgot one section, so they're currently failing compliance. These are very important in ensuring that the merchant understands when they are compliant. That failing compliance is going to be kind of a light bulb moment for them that they haven't done everything on their list yet.
The soon to expire compliance is imperative in a program. This will help the merchant know thirty to sixty days before their SAQ is expired to expect that they need to go in and renew their compliance.
Numbers show on our side that if a merchant lapses into noncompliance, the compliance percentage goes down quite a bit for them to actually log in. So it's great to ensure that we are getting to them before they lapse into the expired compliance.
We also wanna make sure that PCI compliance is a part of your actual deliverable.
It's additional value to the merchants. It makes the merchants invested more into your company. It kinda makes you a little more sticky with them because you're providing more than just processing credit cards, and it also makes you aware of questions or concerns that they might have.
The next item we're going to discuss is goal setting. As with any program, you want to ensure that there's some sort of success that's coming from the program, and we'll talk about how we should set up those goals.
So what are your executive goals? What are your compliance goals for merchants? And who's in charge of completing and maintaining that PCI compliance?
The first question is what are executive goals? We want to understand how many merchants you want enrolled and how many you want compliant.
A lot of our assessors would love to have a hundred percent compliance. That would be great to have a merchant portfolio that was at a hundred percent. It's not necessarily feasible to do that, however. It's great to be able to break it down into small chunks and attack that first number. For example, a lot of executives, when we're working with our acquirers, is to have a percentage that's acceptable by, let's say, First Data.
First Data will fine if less than a certain percentage is compliant. So they want to reach that number and ensure that they do not get fees or fines.
Other merchants I mean, other acquirers, sorry, have already moved past that goal and would like to reach a better goal of overall portfolio compliance. That can move as you go within certain time frames.
Time frames should really be set realistically. If you want a hundred percent compliance next month, you may be setting the bar a little too high, a little too impossible. Just make sure that they're realistic so that when you hit the goal, you can just reformat and form new goals as you go forward.
What are your compliant what are your compliance goals for merchants? Do you want it to just be a checkboxing exercise, or do you want to have them truly understand data security and compliance? These are two very different processes, but you can, most of the time, marry them together really well if you have a good idea of what you want compliance goals to look like for your merchants.
And we'll talk about some of those other items later when we talk about simplifying the FAQ.
The last item is who's in charge of completing compliance.
I personally have partners who like to drive the compliance train. They like to be the ones to reach out, make phone calls, emails, and have that personal interaction, and we provide the platform, data, and tools that they need in order to carry out a PCI program. But they really take care of a lot of the communication, And SecurityMetrics does not do those things for them. On the other end of the spectrum, and this is more common, I would say, is we take care of a lot of it for the merchant.
We take care for that processor. Sorry. So it really depends on who you want in charge of that compliance. But remember, at the end of the day, if a breach were to occur, the responsibility lays at the doorstep of the merchant. So the merchant is always going to be in charge of compliance.
The processor in the bank is something that you need to decide. Who's going to be driving that narrative? Is it going to be the merchant reaching out to us? Are you going to have us reach out to the merchant? Or is are you, as the acquirer or the processor, going to be reaching out to the merchant? Those are things that you really need to understand when setting up your program.
Another important aspect of PCI compliance is ongoing education.
These are great things to really tell the merchant about upfront. We don't wanna surprise them with noncompliance fees. It's great to tell them upfront what things are going to happen or what may happen if they don't abide by PCI standards.
Newsletters are great. We have a lot of companies who do monthly newsletters, sometimes even weekly. And sometimes they'll ask us for a little blurb from an auditor or from some sort of PCI, counsel release data release or something like that. And we'll send information that they can then send to their merchant base and give them an ongoing idea of what PCI compliance is.
Monthly statements are another great way to put at the very bottom. Let's say that there are noncompliance fees or fines. You can put a little just a little blurb at the very bottom stating why they had it and then directing them back to your PCI vendor so they can take care of that fine. And monthly educational seminars.
This is one we have a lot of processors take advantage of. We have a lot of different, programs and different educational systems that we can make available to your merchant base.
Better understanding is going to increase numbers. A lot of times, we have merchants who do it once. They do the checkboxing exercise, and they're done. And they forget about what PCI even is until it comes back around, and they get an email saying they have to redo it because it's about to expire. The best way to do this is to inform the merchants of what PCI is so that they expect to have that expired SAQ, and they're ready to move on to retake the SAQ and ensure that they are properly PCI compliant.
A last step is another step, sorry, is going to be making PCI easy.
PCI is not necessarily an easy thing to think about when you're talking about all the different things that you have to check off when you're completing PCI compliance.
A lot of mom and pop businesses are not going to be IT specialists. They may not even understand that they need to segment their network from a part of the network that's processing.
This is why we want to try and make it as simplified as possible.
We want to make the the process to assign them to the SAQ easy, filling out the SAQ easy to understand, and then make sure that the reporting is as little intensively as intensive as possible for your merchants.
As you can see here, this is the merchant dashboard. It's really easy to understand.
It shows them that they're currently failing, and then it has a to do list.
PCI vendors will have different variations of this dashboard, but it should be a one check dashboard that helps the merchant understand where they need to go next in the PCI compliance process. In this case, this merchant needs to complete the SAQ and they need to update their vulnerability assessment scans.
At SecurityMetrics, we have employed a simplified PCI approach. What we do is during the scoping process, we ask easy to understand questions that will also pre fill questions later on in the FAQ that they'll be assigned. For example, if they confirm that they never are going to be storing credit card data electronically when they're finally assigned their PCI after the scoping process, those questions will be pre answered when it comes time to activate and continue answering their SAP questions.
As you can see, this merchant was assigned to a VIP. And through the scoping process, they had ninety eight percent complete. They only have a few obligations left to check off, and then they're done. The cool part about doing it during the scoping process is they're going to understand what they're answering. It's not going to be confusing jargon.
This last section is leveraging your PCI as a vendor.
Your PCI vendor is integral in helping your merchants understand.
We help your merchants understand PCI compliance through available compliance teams or support.
We help discover your merchant's specific PCI requirements. A lot of times people may be assigned to an SAQ, but they have no idea what that entails. Your PCI vendor is very helpful in helping that merchant understand so that you don't have them coming back to you.
We validate and report the merchant's compliance, making it easy for the merchant and as well as for you to pull up that information, assist your merchants in becoming secure and compliant. Again, we want to avoid those data breaches as much as humanly possible. And the last is please allow your PCI security vendor to be the expert. We don't expect you folks to be the expert. We're the experts.
So make sure that you lean heavily on your PCI vendor as an expert in relaying all this information to your merchants.
We also offer SecurityMetrics, for example, does a lot of different items to be the experts. Find a PCI vendor that meets all of the needs that you have. For example, SecurityMetrics not only provides PCI compliance, but GDPR, HIPAA, as well as internal penetration testing, auditing, forensic investigating, and lots of other audits.
If you want to have somebody who can fulfill more obligations secure for security purposes and PCI compliance obligations, find a PCI vendor that fits everything that you need. It's nice to have one place be the expert.
Thank you so much for attending this session. I really appreciate you guys coming out. If you have any questions, I do have my personal email on there, and the compliance team's number is on there if you have any questions about the programs or services that we provide.
I hope you folks have a great rest of your day, and thank you for attending SecurityMetrics Summit 2020.
.svg)
