Watch to learn how to keep your merchants happy, while also helping them prevent data breaches.
Having issues accessing the video above? Watch the video here.
“Many merchants would throw PCI compliance out the window if they could, so we know that they value simplicity–and there are many things we can offer to give them that.”
Robbi Watson explained to attendees how balancing simplicity, security, and value can sometimes be a puzzle to figure out. But SecurityMetrics is a company that can provide options, work with merchants, and find them the best configuration to achieve compliance and protect data.
“Obviously we can’t fill out the SAQ for merchants, but we can do everything we possibly can to make our process as user-friendly as possible to make it a positive experience.”
Products like FastPass and Partner dashboards work together to save time and money from what could potentially be very expensive managed security tools. Robbi explains how in order to keep merchants happy, acquirers must provide simplicity and reduction of scope through technology and solutions, and value through monitoring and expertise that protects their business.
Robbi Watson goes in depth on how to provide these things to merchants, keep them happy, and help them prevent data breaches, all while balancing revenue streams.
This webinar was hosted on September 24th, 2020, as part of SecurityMetrics Summit 2020.
My name is Robbi Watson. I'm head of our partner security and compliance programs.
And my presentation is on meeting merchants' needs and finding that balance with value and simplicity.
So SecurityMetrics aims to close data security and avoid compliance gaps so that your customers, as well as you, can avoid data breach. So we're gonna talk about today some ways that we can, merge simplicity and provide value with managed security in order to make your merchants happy and keep security and compliance top of mind as they go through their compliance process. So I know I've heard this probably a hundred times, maybe more, but long before merchants seem to think that their terminal is compliant so that they're already compliant. And all they have to do more potentially have to do is just answer some yes or no questions, and then they're done and validated for the year if they have to do anything at all. We know that's one hundred percent false.
There are some things that we can provide in order to make PCI simpler for merchants, such as some technology like a validated p two b e solution or some AMV chip and PIN type of solutions, but they still have to validate their compliance overall.
So merchants want simplicity.
If they could, they would throw PCI compliance out the window and not touch it at all or have to fill anything out.
So what we're trying to accomplish is utilize technology, easier validation types such as the VISATIP program or the PCI Data Security Essentials, or just making the overall PCI DSS, traditional PCI SAQ, easier by prepopulating some of the data security requirements and utilizing what technology that the merchant may be using or integration types the merchant might be using to expedite that process and reduce the scope that they have, when going through their PCI SAQ.
And if that isn't enough to make it easier for your merchants, finding someone that can provide twenty four seven handheld guided support, just someone that that your merchants feel confident they can talk to in order to help them with any security related questions or compliance related questions they may have. So how do we accomplish this? So we provide a tool called FastPass, and FastPass solves a couple of problems. So the first problem is it gets your merchants to the correct FAQ every time versus a traditional PCI scoping wizard or whatever you wanna call it that's not necessarily customized, and it can be very vague and confuse your merchants as they're going through the PCI scoping process to determine what their SAQ type is.
So we wanna narrow that down and customize it partner to partner so that we can customize the user experience and reduce any fluff questions that aren't really applicable to your specific payment processing types so they're getting to the SAQ every time. And then problem two is instead of a merchant having to answer their entire full SAQ, what we're able to do is prepopulate that SAQ up to ninety nine percent depending on what processes they may have in place or what your specific integration type does or what the technology you're providing can do and fuse with the information that we're able to gather and collect from your merchant base.
So the point being there is, to kinda summarize those two is, problem one, getting your merchants the correct SAQ. Problem two is prepopulating some of the data and questions on their questionnaire so that they have a better all overall user experience and aren't skipping out on their security.
A traditional PCI scope could lead someone into an SAQD, which obviously is the most difficult three hundred plus question questionnaire, and they may not feel confident in actually going through that. So if we're able to tackle some questions upfront or perhaps reduce their scope by eliminating that storage aspect from the way they process and handle credit cards, we can make them a lot happier going through this experience.
Value. So merchants want value. So aside from simplicity, literally making this as easy as possible, perhaps just a couple of clicks to validate their compliance for a year, most of our partners want to have an expert in security in their corner. And this provides peace of mind to their merchants and peace of mind to themselves that their portfolio is going to be low risk, and they have all the visibility that they would need with a remediation path for their merchants by location in order to avoid data breach and compromise.
The great thing is with our partners, we can provide these type of solutions at an affordable cost. So it assists, not only you, the partner, but also the merchants in saving time and money who could traditionally be very expensive managed security tools. So the whole point of simplicity and value is merchants wanna focus on their business. They don't wanna worry about security or compliance.
They want it to be done for them. Obviously, we can't complete the PCI DSS for the merchant, but we can do everything we possibly can to make it as easy of user experience as possible in order for them to validate compliance. Most merchants think it doesn't it's not gonna happen to them until it does. So some recent breaches, there's Wendy's, Marriott, Target, Home Depot, MGM, Cuara.
Most of these groups probably didn't think they were gonna be the target of a data breach or compromise. And without looking at these big companies, most small level four merchants think, I'm too small to get breached. I don't have to worry about it. They don't really take it seriously until they finally get a notice or a letter from the secret service or from their acquirer that expects a common point of purchase for, stolen credit cards, and they really look into it more.
We're a partner that can be trusted in order to get your merchants from point a to point b and obviously do everything we can to help them avoid a data breach initially, but provide all of the remediation steps after the fact if they had been suspected of a breach and need assistance in retrieving some documentation. So what acquirers must do to reduce portfolio risk and make this process easier for merchant is provide simplicity.
So with things like technology types or integration types, like p two p solutions, EMV chip and PIN, or if technology you've created can integrate into a merchant system and reduce scope, such as storage from the way they're processing and handling credit card data, adding in additional validation types such as the Visa tip validation type or the PCI data security essentials, and then, obviously, twenty four seven handheld phone support to assist them with any additional questions that they have going through the process, plus value, which is peace of mind in overall cybersecurity tools that a partner can provide that are consistently monitoring your merchant's locations, making sure that the bad guys are out. And if they are able to get in, there's alerts and reports that go out to both you and mister Merchant so that they can be protected and avoid exfiltration of their data. Simplicity plus value in the end equals happy merchants.
And I know you're thinking, crap. Well, happy merchants would be if they didn't have to do this at all, and you're you're probably right. But, at least we can do a few of these key bullet points with simplicity to make the merchants happy and, increase their user experience and make them not call our partners and complain, about frustration about going through the PCI process.
So happy merchants come from technology, so p two b solutions, integration types, validation types, such as the VISATIP program, which is the tele, technology improvement program, as well as the PCI data security essentials, prepopulation by prepopulating as much of a SAQ and scanning requirements as possible before your merchants even have to think about it, guided support, which is twenty four seven support to assist them over the phone or via live chat with any of their security needs, expert security by providing managed security services with a reliable security operation center and SIM tools to alert and report on threats on a location basis for each of your merchants and provide them peace of mind that everything is gonna be set it and forget it for them, and they have a security expert in their, back pocket and corner that can, help protect their business.
And then which is very important, obviously, to the level four merchants is saving money and having a tool that's reliable and not gonna break the bank. Traditional standard PCI DSS, we're gonna replace that with prefilled PCI DSS by prefilling their PCI requirements and scanning requirements. And noncompliance fees, we're seeing a route taken where acquirers are starting to replace those with managed security fees. To kinda wrap your head around this is a lot of our partners and partners in general are charging noncompliance related fees for merchants that haven't validated compliance, and they charge those after a certain period of time.
We're seeing a trend happen where merchants or acquirers are now focusing on replacing that noncompliance bad revenue with managed security revenue.
And the goal is, hey. We're gonna get our portfolio compliant. We're gonna get them secure, and we're not gonna eat into our noncompliance fee revenue, which is so important to us. But we're going to maintain that same level of revenue, but replace noncompliance revenue with managed security revenue and some managed PCI, products and packages that are offered by SecurityMetrics as well as other, vendors in the space. So to summarize kind of what we went over, we wanna utilize technology, we wanna remove unnecessary questions, and we wanna provide security and compliance.
If you have any questions, feel free to send me an email. Hope you guys enjoy the rest of your summit.
.svg)
