Watch to learn how to promote and simplify merchant compliance and get tips to improve your PCI program.
Watch SecurityMetrics Director of Business Development Robbi Watson and SecurityMetrics Director of Customer Success Scott Robinson discuss:
Hello. Welcome to our webinar today. My name is Scott Robinson. I'm the director of customer success management here at SecurityMetrics, and I have with me Robbie Watson. Robbie, introduce yourself.
Hey, Scott. I'm Robbie Watson. I'm the director of business development. So I work with acquirers and ISOs and payment facilitators on their merchant PCI compliance programs.
So today, we're gonna talk about a few different things. Four dot o's, lots of questions we get asked, so we thought we'd clear the air on a couple of those those questions.
What makes a good PCI program? What frustrations are commonly with the PCI program from both the partner side and the merchant side? And everyone else's favorite topic about PCI compliance, so we'll dive into it.
Fantastic. So now you you hit the first question right off the bat. So, you hear things differently than I hear them. Right?
You're talking to them pre pre signing and signing of a contract. Yep. I hear it after they've signed and they come in. So what do you hear when you hear people talk about what makes a good PCI program?
Man, I mostly hear when when I get approached by everyone, I mostly hear what doesn't make a good PCI program. What hurts? So usually, folks come to me and they say, I can't get an answer for my relationship manner manager or anybody. I don't know who to talk to. And we kinda dive into the weeds of that. So, like, my merchants are frustrated. They don't get any calls or communications.
Maybe they're in ISO, the ops side of or that's included in their acquirers program, and they say, crap. My inquirer has me in this program, and I have zero of what to do with it. How can I kinda break away from that so I can have everything customized? So I mostly hear the the pain points about support or maybe branding or, not only, I guess, support for the acquirer, but also for the merchants. Right. And then we kinda dive into those those pain points. But everything's about, let's make life easier for you as a partner and make life easier for the merchants regardless of which vendor you use.
Right. And that's that's where my team comes in. Right? We're all about the success, and we want the success for the program. We want the success for the person that that is leading the program on the bank side or our partner side because we want them to shine on their side, and and we want everything to go smooth and easy. And and one of the things, like you said, was communications.
You know, I wanna be able to reach out and call my rep at Security Metrics.
Get an answer. Right?
And get an answer. Right? And and for my team, that's a big one for me. Right? I'm I'm really a believer that my job and my team's job is to answer that phone and get you the very best answer you can get. Whether we know it or if we have to go to somebody to get it, we're gonna get you the answer that makes sense.
What are, some of the most common frustrations you hear from some of the partners we have today? And then I'll dive into mine.
Oh, yeah.
So, they they kind of vary. Right? A lot of it really centers around education.
Right? And and merchants not understanding PCI. We don't understand what is supposed to happen here.
Our merchants don't understand it. What's the best way to handle it?
And and to me, it's all about education and communication.
Educate, educate, educate anywhere you can and then communicate.
Right? Communicate that out as best you can, and repetition.
Right? Because you don't wanna get swear at too much.
Right. Right. And and so we wanna make sure that they know, you know, what PCI is, why they have to do it, what what's expected of them from the bank side, what's expected of them from the card brand side. We're trying to constantly educate the merchants so that they're not stopping and going, you know, why do I have to do this all the time.
Yeah. And and coming, I guess, from my background, when I first started at Security Metrics working specifically with merchants Mhmm. The the most common things they would ask is, why do I have to do this?
Oh, totally.
Why doesn't my processor do this for me? Or I'd rather pay the the penalty than do this. Or I'm gonna stop taking credit cards altogether. It's okay.
Yeah. Go go full cash. Let's see how awesome that goes for you. But, and I think the the thing that resonated, especially over the years, obviously, PCI rolled around in two thousand six and seven.
Right? And now here we are going into twenty twenty three, and there's been a lot of changes. And now merchants are kinda really entwined, and they get PCI. They're asking their acquirers and payment processors about PCI if they don't currently have a solution.
But really just simplicity top of mind. And I think that's kinda one of the biggest things, with with frustrations with PCI. It's it's so hard. There's so many things that I don't understand.
I'm a small mom and pop shop. I don't know what a firewall is. I don't ever want to know what a firewall is.
So how do we make that easier for them, and maybe utilize things, like technology, the current technology they're using or things that the the vendor can provide, whether it's us or someone else, to reduce a ton of those questions for the merchant Right.
So they can get it all done very quickly, but also still be secure. Because we obviously don't want them to be victim of data breach, which affects not only their brand, but also can go back up and affect the the processor too.
Oh, absolutely. Absolutely. And and it's interesting that that when you get to a merchant who doesn't understand the basis of PCI, for some reason, it it it didn't start at the beginning, right, when they first signed up to to use a processor, nobody mentioned PCI. Nobody talked about it really.
They gave little hints that it needed to be done, but it's like it's it's That's that's the tricky thing.
Right? Because Right. I mean, not to name drop anything. I don't even I probably can say this.
But, crap. In the early days, it was like, hey. We're just this is a huge revenue source for us, PCI.
Right.
We're gonna make a ton of money, and we're not even gonna notify merchants.
And I think the days of that have gone away. Oh, totally. And kinda to your point of just education is really important. Finding a partner that has tons of materials, whether it's starting guides, blogs, fancy webinars like this, where they get to talk to awesome people like you and I, where you have someone that can really educate your merchants, help them understand what their requirements are, why they have to do it, and then obviously provide some type of solution to make that process as easy as possible for them.
Right.
And that's kind of seeing more traction instead of the, hey. We're gonna tell them about this compliance program once.
Right.
And then just they'll probably never gonna see it, and then we're gonna bill them a noncompliance fee. And it's a bunch of money for us. Who cares? Right? I think those those days are kinda done, and that obviously led into a lot of frustration of getting tons of fees and penalties.
So Right.
And usually, at the start of a program, if we haven't done a great job of educating, you know, if the bank hasn't educated it, the merchant stuck it on the website, something explained who we were, what PCI was. Right? The merchant is not gonna call us. He's gonna call the bank first.
Right? He's gonna go right to the partner and go, hey. What is this all about? So all they've done was turn up the volume of heat on their side to handle more instead of pushing it to us Yeah.
And let us help them. Right?
What would you say, so you you obviously manage all of our partners. There's couple hundred that do the partner payment programs today. Right?
And plenty of that over the years that have gone to other partners and whatever. But, what would you say makes us different, from other providers when you talk to them? They say, oh, Security Metrics, you're have done such an awesome job in comparison to vendor x y z. Right. You know, what what's the most gonna be?
Really great question because when we meet with our with partners, we we have a meeting that we run every year called SMAC. It's the Security Metrics Advisory Council. And so we're looking for that kind of feedback. You know, what can we do to be a better better partner for you, and what are your needs? What are you looking for? Where are your pain points so we can make adjustments and and look at fixing things?
The one thing I always hear is our support. Right? I hear it constantly.
You know, we call your team. You guys answer the phone. You respond back quickly. You get us the answers we need. If our merchants call in to support, they need help with their SAQ and their and their, scan.
They get answers and they get support. Right? And and so I love that part of it. Anytime I can get a partner that say that they love the support we provide to them, they love it.
And it's all the way down the line from from the white papers that we have on our website, the educational stuff, questions. Right? Just simple questions that we get answers to very quickly. They love the response time.
And so we just we just happened to do a meeting just a little while ago, and it was interesting. That was that was the first answer that they came out was our support. We do great support.
The the funny thing about that is I mentioned frustrations earlier in the webinar.
That's, like, the number one thing they say. I can't get a hold of anybody. My merchants are frustrated going through this process.
So, yeah, having someone answer under eighteen seconds is a pretty big deal.
Oh, that's huge. Right? And and we're twenty four seven. Our support team is always there twenty four seven.
Yeah.
And so the merchants, you know, they aren't gonna work on it during the weekday likely, and then they're probably not gonna do it in the morning. They're gonna do it in the evening. And if they have a question, call. We're gonna answer that phone.
So so from my end, it feels like so oftentimes, PCI can be thought of as a commodity. It's like, you have an SAQ? This vendor has an SAQ. You do scanning?
This vendor does scanning. You know what I mean? What's the difference? Right? It's and it's like, okay.
We're gonna get down to to cents for pricing because there's no value there. But I think it's having to extract the value and understand, for for whatever payment process require, ISO payback, whatever you may be, understanding what the the kind of goal is and what someone would be looking for. So is it proactively calling every merchant so they never ever fall out of compliance? And if they do Right.
They have someone supporting them and getting them back in compliance.
Right.
Is there cybersecurity tools that help them meet some of their PCI requirements?
Are they a QSA?
Can they do pen testing? Can they do all these things that basically not just make them another vendor, but an actual true partner to where you may be working with that, not just on the merchant PCI side of things. You may be working on the internal PCI things for your own business, like audits or pen testing or forensics, all that fun stuff.
Well, because because we do all things. Right? We we can do an audit. We can do a pen test.
We can do forensics. We it's all under one roof. Right? And and the nice thing about that too is that when, like I said, when I get a question that maybe it's a question that not so much to a level four merchant, but beyond that, I'm across the building from the auditors.
I can go right over and ask a question.
I can go right over to a pen tester and say And give them their cell phone number so that they can get their answers whenever they need to.
I can find some information very, very quickly. Right? And and, you know, some of the pain also that they talk about is is how do you make this simpler? Yeah. Right? That's one of the things that comes up is my merchants don't understand this. How do we simplify this, and how do we make this better?
And we've we've had many years at working on the simplification part. Right?
From from simplified verbiage in the SAQ, the ability to reduce the number of questions that they have to ask right up front that the merchant has to answer, to easy order SAQ, which is one of my favorites. Right? Give them the easy stuff upfront. Let them answer those questions. Build their confidence.
Work through the SAQ before they have to call somebody. Because then they go, well, I got pretty far here. Now I need some help. If it's the very first question about a firewall and they go, I don't know anything about that, they don't call us mad. They usually call the the bank mad or the partner and say, hey.
Why am I having to answer this thing if they if that question comes later in the the script. Right?
Yeah. Yeah.
Pre answered so much.
Out the window. Yeah. Cool. So how do you think that our partners, and I guess just people in the industry in general, get the most out of their PCI compliance programs?
Well, I think when they use the asset that they have, it makes a big difference. Right? We're we really are there to help them, and we've done this enough that we can provide answers. And we're not afraid to share. If somebody says, well, what what do others do? I can give them a big variety. You know, from all of our partners, I can say that no two of them are exactly the same.
That's kinda true. It's I mean, there's so many years of experience. I mean, there's, what? There's a handful, maybe now actually only several Yeah. Companies in the space similar to do what security metrics does.
Right.
Everyone has their own kind of bells and whistles and strengths and weaknesses. Right? But, I think it's just kinda you hit it right on the head is, taking advantage of everything available to you if you want to. So, obviously, some partners say, I don't wanna touch this at all.
I just wanna see everything and have you security metrics or vendor x y z, run with it. Right. And it's like, oh, awesome. Great.
Here's all the data. Do it that we want. And then you have those that wanna be super involved and really dive into all the numbers, really dissect what each and every single merchant did or has done and what employees have done. And I think just having the option so people can get the most out of their their compliance programs that they're hitting their goals.
Absolutely. And maybe not even, their specific team's goals, but other goals, like net promoter scores for their marketing team or net promoter scores for their product team for product feedback on their own solution. So Right. I think finding a partner that can branch out company wide and hit multiple team's goals is super important versus we do PCI for merchants, and that's all we do.
And congratulations. This is the we're just a vendor for you.
And that's that's interesting because one of our tools, FastPass, is designed to, you know, scope the merchant as quickly as they can to get into the right SAQ without, you know, little chance of them going off the path in a wrong direction. Yeah. But that tool can also become a marketing piece for them. Right?
Because we can ask questions like, do you use another processor for different parts of your business? And if they say yes, we have a touch point there that can go back to the partner that says, hey. This merchant says he's got other business that you should know about. And then they can reach out and say, well, why are you using somebody else?
Yeah. Right? So that just that tool isn't just for us or for the merchant. It actually reverts back to the partner that this can be a sales tool for you if you wanna utilize it that way.
So one question I get asked often is, how can you improve your PCI program? And I always speak back to the whoever whomever I'm talking to and just kinda say, well, that depends. And it's not really the answer that they wanna hear, but it it really does depend. It's like, okay, what is your goal? What is finance's goal? What is product's goal? And it's just so many other teams combined.
But really trying to gather all that information so you can help the entire team as a whole meet that goal to improve the PCI program. Because if the finance's goal is we don't really care about compliance, but we want a lot of revenue. But compliance's goal is, hey. We want high compliance rates, but then it count it it takes away from the finance noncompliance fee revenue. Right?
Right.
There's gotta be some type of balance there.
So Well, And that's where we have revenue share and Yeah. And things that we can do that, you know, we we have other products that maybe they didn't include in their program that we can sell to the merchant revenue to the partner. Right? And so we have that ability to do that. And usually, when they say, gosh, you know, we're we're struggling. Like you said, we're we're struggling with this. Our reps don't understand PCI.
Oh, it goes from the bot it has to go from the bottom up. Right?
All the way up. Right?
Because we don't wanna cause friction to the agents to say, why are you talking to my merchants, and why are they doing this? It's like, well Right.
They don't have to, but there's a ton of options that help them meet each and every single one of their requirements Right.
Inside of their PCI questionnaires so that they can just get it done.
Well and you you get a merchant that that questions this. They go and they talk to somebody, maybe not the PCI team, but they talk to somebody at the locate you know, at the partner's location. And that person has no idea who PCI is. And probably the most common thing, oh, that's a fraud.
Don't talk to them. And so immediately, we reach out again to try to find out if they've gotten their answer and that we can help them. And they say, no. I was told not to talk to you.
You're a fraud.
Oh, I get it. Like, right? We get we all get these sketchy emails and stuff, and it's hard to to validate and verify, which kinda goes back to some of the earlier stuff is communication is key, having information on your website.
Right.
Emails that could even look and feel like they're coming from you. Right. IVR tree that links directly to the partner. Right. So many different things developed.
Those are all things we kinda capture at the beginning and say, hey. You know, do you have an IVR? Do you have a redirect your IVR back to us? Anything we can do to direct the pain off of you and bring it right back to our teams and let our teams do the work for you, that's what we're after. Yeah. Right? Because we the whole idea that you got a a a team, a partner to help you with this was to reduce the number of the amount of work you have to do, reduce the pain that you're feeling right on your side, ease for the customer, ease for reporting for them, which is why we have that great partner plus tool that lets them get all the reporting aspects done.
Anything that we can do to take that off your shoulders, I I tell the team, look. Try to be an employee of theirs that they don't have to pay for. Right? Yeah.
Yeah. You're just an employee of them. Feel that way to them. And and luckily, I got great people, and that's what they try to do, you know, to their full extent.
Well, so PCI four dot o is coming up. And I guess to kinda summarize everything we've talked about to kinda dive into that, literally sounds like it's all about simplicity.
I mean, complaints I get are lack of support, too hard for merchants. Sounds like similar complaints to me.
Same complaint.
Simplicity, I would say another thing is visibility.
So a central location, whether it's in our portal or being able to API push to a partner's portal, so they have all the documents they ever need at their fingertips Right.
And the ability to be as hands on or hands off as they want to. Right?
Oh, absolutely. So And and, well, I don't wanna brag or anything, but the partner plus reporting is amazing. Right? There's a that we can give you every field you can ever imagine that's in there that if there's some data in there, you can pull it. You can extract that. Yeah.
It's so painful when, I talk to people and they say, oh, I don't even have access to this. And it's like, okay. Usually, those people are, an ISO that is with the an acquire program.
Right.
And they don't have an option to really select out. A lot of ISOs and PayFac's don't necessarily realize that they can kind of do their own program.
They obviously have to do what the sponsor bank require Right.
Allows them to do. But Right. There's a lot we that that come over to to us and other vendors and just wanna have their own experience. Right? It's their brand that's at stake. They don't wanna have user experience that's cookie cutter to everyone else. They want their customized user experience.
Right.
So it's kinda cool to to do that for people.
And and on that implementation call, just at the start of the program, we ask a bunch of questions. Right? So that we know how to handle the merchant. We want the merchant experience that they have with the partner to be the same on our side. You know, my goal is that they don't feel any different. If they get grade a experience from this person, I want them to have grade a experience on our side Yeah. And try to match that as much as we can.
They always have a good experience with me.
So, so, with four dot o, I'm again, you manage all of our existing partners.
Probably a Probably a lot of questions that they've been bringing up so far about PCI four dot o and what we're doing to kinda Yeah.
There's there's lots there. And and what changes are gonna happen, and how hard is it gonna be, and can we simplify it still? And, wow, we've got a our product teams are all working hard to make sure this all makes sense. Right? Our support teams who work with the SAQs, they've already mapped, the new questions to existing questions so that when a merchant has to flip over to four point o, they don't have to refill out the whole entire SAQ. If we can map those over, then they'll get an SAQ that's the new one, but it'll already be pre answered based off of what maps.
Right? Exactly. Right. Because imagine going to complete a new SAQ. Maybe you just completed it right before four auto hits.
Right.
And then it's, like, actually, you just have to redo this entire process over again and answer all these questions that you spent an hour. However, it depends who they're with. Right?
Right.
Could be seconds or it could be hours depending on How big and how crazy.
But taking all the information they currently have and preloading it into the SAQ of which questions can answer so they may only have a few more to answer. Right. Man, that's gonna completely simplify the experience for the merchants because the acquires processor, whatever you wanna call them, big payment processors. Right? Their business isn't PCI necessarily.
It's keeping merchants happy, keeping merchants processing, and doing those transactions Right.
We don't wanna interfere with that at all. And PCI should not interfere with that. We wanna make it as easy as possible. So I love that. Yeah. I didn't even know that. So that's perfect.
I like the past.
They have been working on this, and they're on it. And it's nothing new. I mean, we did it when we went from one point o to three to three point one. Right? All the way down that change, every time it changed, we map these and we work this and we try to figure out.
Well, another way I think to make it easier would be, like, advisor programs where it's proactively outbound calling to help merchants go through the process. Right.
Someone that they can call, someone that will call them. Hey. We're noticing you're coming up to your expiration. We wanna help you make sure that we get this done and and keep you compliant.
Mhmm. We don't want you to fall out of compliance. We want you to maintain that compliance and keep going. Right?
Well, unlike the, so scanning for SAQA is something new.
Yeah. That's the that's probably the scariest one. Right? Because, you know, typically, depending on the portfolio, typically, the the number one SAQ that most merchants are in is b.
With coronavirus and all that that cause changes, more merchants are now going into ecommerce.
And so we have a lot more ecommerce coming at us now. And that big change, and that's a really big change, is SAQA today has no scan.
SAQA in four point o has to have a scan, and they're not gonna be ready for that one. Right? They've never had to do it before. Now you're asking you to do something totally different.
Unless it passes.
And unless it passes. And and most of them do. Right? There's not a lot that fail all the time. Right? There's just if they've ever really complex thing and they do changes all the time, that could kick them out.
But most most merchants don't even know an IP address. I you know, I mean, understandably.
So They they don't have to deal with it.
They don't know it. Right? And now we're looking at ways of saying, hey.
To make this easier for these merchants, let's talk about giving them a scan that doesn't affect their PCI today Yeah.
And lets them get that scan, see what issues are there.
And if there's issues, fix them. So when four point o does come around, they understand the scan, and they know that, oh, I just was scanned a little while ago. I haven't made any changes. I'm probably gonna be pretty good. Right?
Yeah. Well, let's schedule having it run automatically because some some, smaller vendors or competitors that resell ASB scans. So as an ASB, obviously, we don't we're our own bread and butter for scanning. Right? We're not reselling anything.
Having the schedule run automatically every quarter kind of keeps it out of sight, out of mind. Right. So they're not having demand I mean, if there's horror stories of, yeah, we have to log in and and manually click to run a scan every it's like, what? Really?
And we hear that quite often.
Oh, yes.
New partners. Right? It's horrible.
And imagine if you have tons of scans that you have to manually Oh.
Go. Yeah. Go push that button every time. Yeah. No. We we set that up at the beginning, and they just run. Right?
And then you get notified pass, fail, and So it sounds like I mean, in my opinion, I don't think four four d auto is gonna be that scary.
No. It sounds like keep pretty much as is, for us at least anyway, prepopulating everything as much as we can at least.
And I We're simplifying it as as much as we can simplify.
Right? We're looking for those chain places where we can even in in our our scoping process, can we ask you questions that will prepopulate your SAQ in bulk Yeah. Right, and ease your pain? And that's what we're trying to do.
I'm gonna go, off script and just bring up some some new stuff. So with inflation, everyone's trying to gather more revenue. Right? Because their money now is worth less.
Right. So maybe talking about, like, revenue share opportunities and what partners are doing or what we're kinda seeing as a trend towards that, could be kind of interesting. Because some of, some partners obviously, they're they're trying to go go revenue. Right?
Everyone's trying to grow revenue. But like I mentioned earlier, that's not necessarily a good idea to do only via noncompliance fees.
Right.
So the kind of trend we're seeing is let's replace those noncompliance fee revenue with, security products because now our merchants are gonna get secure. They're gonna utilize the the the product and service, which hopefully keeps them happy and with us. So I think finding a vendor that has a full suite of additional data security under compliance or ease tools is very important. Yeah. Very And to tie into that kind of inflation thing is to have a large chunk of revenue share off of those Right. Could help offset any anything that they're showing up.
We did it right, maybe your PCI isn't, an invoice to you because there's enough revenue share that it just offsets the the cost of that.
Well, we see that happening. Right? And some partners are even going the route of saying, hey. We just wanna be out of the billing mix completely.
Merchants can pay directly.
Right.
And we'll just get a rev share off of that.
And and we see those and they're successful.
Yeah.
And it's less operational cost maybe for the the partner. Right. It's literally just pass it over to us. What which I guess the operational cost isn't too big. Depends on how big the partner is.
Right.
Whether they do their own method of billing versus us doing a billing or the vendor doing a billing.
But Well, and the hard part is on the partner side, usually, there's one person that's running the program, you know, depending on how how large the the place is.
There's one person, he's wearing mini hats or she's wearing mini hats. And PCI is just one of those hats. And sometimes they can't get that hat on all the time. And then when they do, it's usually on fire and and then they got questions and that comes back to reach out to us.
Oh, and there's We'll answer your phone. There is so many bandwidth things too. So even talking to some of the top, like, twenty large acquirers, it's like, is this gonna cost us more to switch providers than just to you know what I mean? We don't really like who we're I mean, we I guess they're okay, but, yeah, we see other things are better out there.
But is there gonna be so much operational cost and bandwidth issues to where we can't even make a switch? Right. So I think, finding someone, if you ever were looking to explore as a a payment processor, kinda switch things up. Man, finding something to to minimize internal churn and frustration along with the merchant frustration, because you don't wanna lose your merchants.
Right? That's really important too. And I think a lot of people would be really surprised to understand how frictionless it really can be if they were looking to make a change from vendor x y z to vendor x y z.
Right. Right. No. And we we have those all the time today, and so they understand it.
We're there to help them. We get them through that. And and with our program, we are able to you're already compliant here. Let's put you into the system.
And as you fall out of that other compliance, we'll just swing you into ours, and it's painless and easy. Yeah. Right.
As a reminder, send in any questions you have into the chat, and we're gonna answer some questions that we have right now.
First question. What's a good compliance rate number?
Oh, that's a great question.
It depends.
It depends. Right? It really does depend depends on how big your portfolio is, how much education you're doing, how much communication you're doing. Today, I can tell you that our top ten have an average of eighty five percent.
So And you hear it across the board. Right? It depends on goals Like, well, you don't hear it as much anymore, but we want to keep compliance this high because we get a lot of money with non compliance revenue. But traditionally with depends on the communications and due dates, any non compliance fees or penalties. Right. There's a lot of different ways to do it. But yeah, Top top ten, eighty five percent is pretty awesome.
Percent is pretty awesome.
Something to work for.
We have some that are ninety five percent. We've had some no. It's always hard to say a hundred percent because a hundred percent, any moment, merchant can fall out of compliance by a scan. So it's hard to say it all depends on when you click the button to see how many are compliant right now.
Well, it depends which partner it is. Right? Because some have hundreds of thousands, and ninety five percent of hundreds of thousands is different than ninety five percent of a thousand. So Right. Right.
Yeah, we're aiming for high sixties.
But with that's one of the things we ask for. What's your goals? And let's work on getting each of those goals. Right?
And so we're gonna hit your goals and And here's how we help you get there.
And this is how we help you get there.
Next question.
When should I really start talking to my merchant base about PCI four dot o?
Today. Today.
Yeah. It'd be great to start. I think we even probably have some partners starting to send us some educational material. I know we, as a company, have tons of educational material that you could point back to. I'm sure we'll post some of it, or link back to it. But Yes.
And especially where the big changes. Right? You got you know, if you're partnered with us and you you can look in there and see who's in SAQA. Right?
Yeah.
Those are the guys you wanna talk to now and get them because this is a real big change for them. You wanna make them comfortable. You wanna get them calm. You want them to know that, hey.
We know this is coming. You know it's got now coming. We've educated you about this. We're here to help you.
Not worry. Don't panic. And instead of the surprise, log in one day and find out what I gotta do, a scan.
Yeah. Yeah. Just make sure they're aware of it at a time.
What do we do with merchants that process payments in different ways such as SAQ a and SAQ b?
So it it's interesting. We offer, com what we call combo SAQs. Right?
If if you look at how the council says it, it says, oh, you have to if if you do more than a, a says this is for ecomm only.
B or c says or CVT says this is not for ecomm, you would naturally have to go into a d, which is horrendous to have to go put somebody into.
We do a combo. We'll give you an a and a CVT if that's what you need. Right? And so we've tried to help. Most people just have two. And so if we can get them down to two and make it simpler, then we'll give you all the questions for those two FAQs.
Most of those questions kind of overlap a little bit. Yeah. And so you're only answering the questions once, but you're getting two FAQs completed.
Well, in the the feedback we've gotten from partners as well as merchants is just like, crap. My old provider made me fill out an entire SAQD.
Right.
And you're just giving me the relevant questions from this one and this one and combining them together. And now I have to answer maybe a hundred and something questions instead of three hundred something questions. Right. Thank you so much for making this way easier. So Right. I don't think anyone else is doing that.
No. I have not seen anybody do a combo.
And It's way easier to say your your SAQD. Very good. Yeah.
It's easier to say d.
I mean, even on our side, it's a lot easier to not have development, have to maintain all this kind of stuff and and But it's about the simplicity.
But it's about the simplicity. It's about the merchant. It's about your programs. What are we trying to do to make it simpler for your merchants to handle this?
What program steps would you recommend to new ISOs or acquirers?
Education.
Yeah. It's literally That's really the job. Education.
So Right.
Educate as often as you can. Put it everywhere you can where a merchant comes into your systems. They're coming into the website to log in. Don't put it behind a password.
Put it right up front where they can see, hey. This is something I have to do. This is who my company is partnered with. They're gonna help you get through this process.
Well, even down from onboarding. Right?
It's like Oh, yeah.
Here's your kinda starter kit or whatever. There's a talk about PCF from the beginning. So it's not like a, hey. Yeah.
You're good. There's no fees. There's nothing. You don't have to do anything at all. Kinda salesy tactic down to, like, two months later, they're like, what the heck?
I just have this brand new thing. You never told me about this.
Never mentioned it.
That's a gets to an awkward conversation.
Right?
So it's like talk about it upfront in the beginning in the onboarding process. And if not, at least educate. Because that's another big thing. So more recently is hearing the payment process processors do not wanna be liable because they didn't properly educate and tell their merchants about a requirement.
Exactly.
Because what's the merchant gonna say if you don't even have a solution in place or anything in place?
Right.
And they get breached and they come to you and says, what the heck? You you know what I mean?
You don't have an answer to it.
Right. Don't have an answer to give them. You know, and we've helped other partners with leave behinds. Right? Part of the the onboarding process packet that they give Yeah.
Yeah.
That simply just talks about PCI. It talks about that partnership. It talks about, you know, who you're working for and with and to help make this process easier. And then they've got something that they can look through, and you can't say that we didn't tell you. Yep. Right? So that makes a difference.
What requirements are keeping merchants from meeting PCI compliance?
That's kind of a tricky question. Only reason because and this is gonna sound bad probably. But, anyway, for p someone to truthfully be PCI compliant, they probably need a pretty high security budget. And they probably need to spend thousands or tens of thousands of dollars to really, really, really have everything correct.
To complete everything.
Right?
Because there's internal scans that, you know There's firewall and firewall management.
Right.
In likelihood, they're just checking the box that they're doing it, but they're really not doing it. And and in most cases, policies, procedures, we offer those products to help out. Firewalls Trainings. Trainings is a big one. Right? You're training your people how to handle.
Everybody thinks it's all about processing over the Internet. We still get that question from merchants, but I don't process over the Internet. It's not about processing over the Internet necessarily. Right?
I I think there's a few ways to do that.
So, one, if a merchant's gonna end up in SAQD because we talk to them and they say, yeah. We take cards through email. We will educate them back to education of, hey. You probably shouldn't do that. Let's lessen your PCI requirements and which will lessen their security requirements. Right? So back to education, very important.
And then being able to have a partner that has a variety of solutions that could help your merchants that may do maybe do have a larger budget Mhmm.
And do need things like penetration, internal network scanning, shopping cart monitoring, literally the whole gamut of everything.
Right.
But still know that you're ones that maybe just kind of the check the box box merchants to get through it, still have access to things like training and policies and scanning and some of the at least the bare minimum things that we're covering so that we know that their risk is probably down here versus someone who's up here for not doing anything at all.
Right. And and and this is kind of a hard topic to to even broach on. But as as as an acquirer, when you're when you're giving your merchant these these tools to be able to process credit cards, everybody thinks, why? I gotta give them this wide variety of options, and and sometimes they can have three or four or five of those.
Well, you could have made their PCI very difficult to get through. You could have forced them into a d because they have three different types of processing methods that aren't all gonna end the same way. Right? Because the the council the SAQs haven't aren't covering the one before.
It used to be b covered a, c covered b and a, and then d covered them all. Now that doesn't do that. Right? So now you've changed that whole process.
So if you can reduce what you give people down to a set form of, you know, if you want ecommerce, we suggest you use this. If you want, you know, a Yeah. Swipe terminal, we suggest you use this EMV. Right?
Anything you can do on your side to reduce their PCI scope makes a big difference.
Well, and there's so I mean, there's the piece of tip program. There's the PCI DSC.
Right. There's PA the PA DSS. Or not PA DSS.
P2PE. P2PE?
Yeah. Oh, yeah.
There's so many different things that could make that easier.
But I guess the whole point there is, like, having something for those that really wanna take security top of mind and do literally everything, but also something that can make people risk down here instead of up here. And then, obviously, like, to your point of narrowing it down specifically so we can answer as much as possible for them so they're getting through it.
Well, we had one partner that totally changed what they what device they were giving their their people. They're all on p two p e. So, you know, with a few exceptions of people storing credit cards outside of the system, right, for reoccurring billing or whatever, all of their merchants fall onto p two p e. Yeah.
And that's a decision they made. And, wow, they got happy merchants. It's not near as much work. Yeah.
What can security metrics do to make my job easier, and what can you do to make my merchant's life easier?
I guess maybe you wanna touch on the their job easier?
Partner site first. Yeah. That's where Partner Plus comes in. Right? Partner Plus and your customer success manager on our side, we're here to make your job a lot easier, make the stress a lot easier, limit all the things that you have to do, and we do that through partner plus with the reporting aspect of partner plus, the fact that you can download any document you need from a a merchant right from the portal, the ability to schedule well, let's do it. There's two ways. You can create a report that maybe you don't run it all the time, but you run it often enough that you wanna just have it there so it's a one button push.
There's my my report, and I can pull it really quickly.
It could be a scheduled report. We build a in our reporting aspect, a tool that allows you to build a report, schedule it, email it to people on whatever day you want it to happen, and have it just go. I want that on the first Monday of every month. Right?
And it's just gonna run and go, and you don't have to go in and do it. It's going to do it for you. Right? So anything we can do to eliminate what you have to do on the side and allow you to focus on all the other things you have to do, that's what we're after.
And then, of course, calling us and asking questions, we're here to respond as quickly as we can.
Yeah. Going back to, like, the we can do the heavy lifting if you want us to. And here's all the recommendations from years of experience, what other people are doing without giving their names. Mhmm. And you decide, partner, what you want to work.
For merchants, it's pretty simple. So average I mean, for technical support, an average speed to answer of under eighteen seconds to get a merchant through their PCI requirements, multilingual support, multilingual branded pages and and portals, which is important for our partners and future partners, like you guys, that are global, right, or have different regions and different language needs.
FastPass probably being the biggest to prepopulate and pre answer as much of an SAQ as possible Right.
Using very, very custom unique to each partner flows.
And then having tons of different security and or compliance products down from level one to level four merchants so that we could be on a partner level and help literally everyone with whichever their PCI requirements may be.
Right. On the simplified questions, the simplified order tons. All of that stuff. The little videos that we put in those sections to give them something to to help me understand this section. Right?
Man, there's a lot more. There's so much There is. There's The automatic scan scheduling. Right.
There's there's a bunch. Yeah. Thanks so much for attending the webinar and asking your questions. If we didn't have a chance to get to your question, you can reach out to me, r Watson at security metrics dot com or just reach out reach out to us and chat and we'll get back to you after.
.svg)
