Watch to learn how you can best get your PCI program and merchant portfolio ready for PCI DSS v4.0 without stressing you out.
If the idea of getting your PCI program ready for PCI DSS v4.0 is stressing you out, you don't want to miss this webinar.
SecurityMetrics Director of Business Development, Robbi Watson, and SecurityMetrics Director of Customer Success, Scott Robinson, will discuss:
Hey, welcome to our webinar on creating your PCI DSS four point zero game plan.
Remember to submit your questions. We'll have someone reach back out to you and we'll send you a recording of the webinar after we're completed. I'm Robbie Watson. I'm the head of business development.
And with me here is Scott Robinson, director of customer success.
So we're gonna talk about a few things today.
New PCI four dot o changes, deadlines to consider, the importance of PCI four point o education, both internally as well as for your merchant, how to effectively communicate these changes for PCI four point o, and new and useful products that help meet some of the new PCI DSS requirements.
So if you're not familiar with security metrics, this is one of your first webinars with us. We've been a QSA company since two thousand and six. We're part of the first group to become a QSAC, and we do one of just about every single acronym you can find on the PCI Council's website. We are an ASV, a PFI, and also a managed security provider. And we are the winner of the two thousand twenty three cybersecurity excellence award for audit team of the year.
Security metrics is determined to make your merchant experience, as easy as possible when it comes down to getting your merchants through the process. We try to make it simple.
We try to make it easy to manage for you and your team.
Overall, we just want this experience to come across very easy and very comfortable.
So let's get you up to speed on PCI four dot o changes. So there's a few significant changes to PCI four dot o. The number of questions has gone down, but there are more security requirements.
So it's, a win win or a lose lose, however you wanna look at it. But, the most common is SAQA merchants will now require a scan. So section eleven dot three dot one dot two. And then in section eleven and six, there are some new requirements for your e commerce merchants.
Yeah. And the scanning portion for the SAQA merchants is probably gonna be the biggest headache. Right? They they haven't done it in the past. All of a sudden, I've gotta do a scan?
Yeah. Yeah. And where where most merchants don't want to do PCI to begin with, they think that because the platform they're using is already compliant, that they're PCI compliant, it can cause a a few headaches for sure. So finding a partner that can automate a lot of that is very important. And then having the support so that you can help answer merchant's questions if they were to fail a scam, and and get them compliant is gonna be really, really important for those SAQAs.
Absolutely. So let's talk about some deadline and timing to the transition.
So we've actually got quite a bit of questions on existing partners asking when we should make that transition. Right. And no one's necessarily jumped the gun or wanted to jump the gun. No. So, what what we've been telling folks is to be looking at q one of twenty twenty four.
And we're helping them discuss their game plan for that transition so that they can give their merchants a suitable cushion to prepare.
What would be very painful is if your merchant had just barely, barely completed their PCI requirement, and then now we make them swap right over to the brand new requirement.
They they didn't finish the compliance c prior to the the new SAQ version kicking off.
They were head into it right, head down, trying to bust through it, and then all of a sudden, I gotta redo this whole thing again. Yeah. Doesn't sound like a lot of fun.
Well and and with previous standard changes, it it required a full on rescopes. We need to reidentify how a merchant's processing and handling credit cards.
So, I know internally we've made some pretty awesome changes to ease that process by only presenting the new relevant PCI four dot o questions Right. So that a merchant doesn't have to go through this entire experience again because, we hate to say it, but they really do not want to do their PCI compliance.
So if we can make this as painless as possible for them, that's gonna be very important. So now's a great time to consider and starting to prepare that transition Right. Especially leading up to to q one of twenty twenty four to to maybe fully transition that portfolio into the the new four dot o requirements.
And the good part of this is is it isn't a a scoping exercise. Right? We don't have to rescope, but because of the changes in the SAQ questions and the way they work, that's what's gonna throw them. You know?
So we don't have to worry about, oh, do I have to rescope my merchant? No. We don't have to rescope merchants. But we do need to realize that if they got partially through the SAQ and all of a sudden their new one comes in, things aren't all gonna match up.
You know, we've done our part to make it as easy as possible by by trying to do a match of all questions. Right? Get them for one for one, if we can bring it over and match it, great.
But if they didn't get compliant on three point two point one and they get forced into four point o, it's gonna change and questions that they thought they were they may have been really close to being done, and all of a sudden they're not, right, in that section because of the change.
So the importance of education.
Again, we wanna educate our merchants Oh, absolutely. To to validate compliance and especially with the new four dot o requirements, a lot of those heavily affecting ecommerce, folks.
So, it can be really helpful if you update all of your your websites that talk about PCI security to the new four point o requirements.
Absolutely.
Having a partner that can assist you with that content is definitely very beneficial. Create your four point zero statement, to the applicable websites and landing pages is also key.
Right.
So that your merchants don't Google partner PCI compliance, and then they land on some old requirements and old verbiage that are gonna confuse them.
And then any of you can take advantage of our free extensive library and resources.
We have a really awesome timeline that shows the entire transition, as well as all the new changes and nuances and differences, with PCI four dot o from three dot two dot one dot wherever we're at. Right. So that that that's free and open up to everybody.
And the good you know, probably the one important most important thing is you're gonna make sure your internal teams are ready for this. Your your teams have got to know everything that happens, and and and this is, you know, your your product people, your sales your sales reps, especially, they need to know because they're they're the main talk to, but it should get all the way down to anybody And everybody who can ever speak to a merchant has got to know who we are, what PCI is, and, oh, yeah. There's some changes coming. Don't panic.
Security metrics is our partner, and they're gonna help you get through this. Right? And so the more we can do that, we can get through this thing. So everybody should be able to communicate the need of PCI to a merchant.
You know? Yes. You have to do it. Yes. You have to report. That's the easy things.
You're Switzerland. Yes. Yes. Yes. Security metrics can help you. Right? And we're the trusted partner, so that makes a big difference.
Internal documentation is really important. Right? Changing your Wiki pages, anything that you have in a website, anything internal newsletters, anything that's coming out has got to start talking about four point o before it happens. So one of the important things to always remember is that your CSM is here to help you.
They're chime into them, get a hold of them. They're gonna come back and give you any information you need. We can give you verbiage. We can give you trainings.
We can do whatever we need to do to make this this change process a lot easier for you. And like I said, educating merchants, we do education for partners all the time, and we're happy to do it multiple times a year if needed. Every time you change out a a rep or or a team member and you need somebody else updated to the whole thing, give us a call. We're happy to do it.
Yeah. And our marketing team is awesome about providing new content too for partners if they need to update any pages.
Absolutely. Absolutely.
So communication is key. Right?
So your team handles all partner facing communication, trainings, what they need Absolutely.
Making sure their program's a success. So I'm sure you get quite a bit of questions relevant to PCI four dot o.
Oh, yeah. All the time. We're and we're happy to help tailor things and make things work out the way you need them to do. And so communication's huge.
Education and communication across the board for everybody is number one. Right? We've we've always said, if you can if we can communicate and educate the merchant correctly, they will take your hand and they will walk down that path. If you don't, they're gonna kick up a fight and start backpedaling on you.
You know, have you ever tried to pull a donkey down a trail that that doesn't wanna go down? I've always tried to pull a donkey.
Donkeys will not move. Merchants are donkeys. That's just how it is sometimes. They will dig in. They will sit down, and they will push back. And so communicate, communicate, communicate.
Yeah. And I think we we can't necessarily give any names, but we have two hundred plus partners. We have a lot of information and knowledge of what everyone is doing. Right?
So we can communicate with you on here's what some of the others are doing. There are various strategies and ways of implementing and making sure that your merchants are secure, having an awesome user experience, staying up to date on updated PCI related changes. Right. So we can provide that to our partners Absolutely.
Without necessarily giving any any names and and data. But it helps you know that you have someone experienced to to speak to, any upcoming requirements and changes for your portfolio.
We have enough partners that have done it in different ways. We know what works and what doesn't work. Correct. And so we wanna find the things that work best for you and implement them. Them.
So FastPass solves two massive big problems. So problem number one is it gets your merchants to the correct SAQ every time. We're not just gonna lump them as an SAQD and say congratulations. Go fill out three hundred plus questions. We wanna get them to the right spot.
Secondly, we know merchants do not want to do PCI compliance. So how can we make this easy for them? Well, let's identify the various ways that they're already processing and handling credit cards, what their technology is, what business policies and processes FAQ as possible. So I know today we have some partners that can pre answer an entire PCI questionnaire.
So maybe this entire process takes one or two minutes for the merchants to go through. Right. And there's also alternative validation methods. So if you're not just interested in PCI compliance, we can do the visa tip program.
We can do the PCI DSE Mhmm.
And any other variety of flavors that you you throw at us. So FastPass is an awesome unique tool to reduce the number of questions and save versus time and effort and reduce escalations to to partners.
Right. And because we've got three point two point one and we're moving to three point or four point o, you know, our teams are already looking to say what questions could they have previously answered that when they switch to four point o, it just brings it across and answers it. Right?
Yeah. I mean, how awesome is that if you can just see only three or four, five, whatever new questions there are and Right. Just have those answered.
And just have to worry about that rather than the whole going through the whole process one more time.
Right? So it does make a big difference. We have shopping cart monitor, which is really quite new. Right? And so shopping cart monitor specifically covers the new requirements found at eleven point six point one and six point two.
I you know, you might have a little more information on this than I do Yeah.
Because I don't hand touch that one a lot yet, but it it's been fairly easy rollout.
Right? It works very, very easily. It doesn't seem to have a a it identifies really quickly all the problems, especially because we can see the button push for purchase.
Right? Most of them stop right there. Anybody else that I've seen has stopped at that point, but we go beyond a little step further.
Well, yeah. So we're, we're wanting to continuously monitor if a payment page has changed or been altered.
Right.
Which would send a transaction to a known bad actor somewhere. So we can put up a flag essentially to say, hey, this website needs a deeper look and stop that transaction from going through, by identifying if any, code has been changed on the back end of the merchant's website. So continuously monitoring your e commerce merchants to make sure that they're protected and credit cards aren't getting skimmed.
Right.
So PanScan, let's talk about that. So this isn't necessarily a, a new product, but it does help meet some of the newer requirements. So eighty eight percent of users have found unencrypted primary account numbers on their network, and many of them don't actually know it.
Right.
And that's a a really low hanging fruit if you don't necessarily know you're storing credit card data, but then someone hacks you and then they can find that that golden goose or whatever you wanna call it and still the credit card data, that's that's no good. So most merchants can access, tools such as Panoscan within their portal to proactively look and identify any unknowingly stored credit card data Right. Point to that and then remove it it from their their systems.
Well, and it wasn't long ago when the we won't name names, but there was a game console that was storing everybody's credit card information, and the user didn't know at all. And then all of a sudden that breach hit, and there were millions of cards sitting on that. And so caused a lot of problem, a lot of pain. We we'd prefer you not to ever suffer with that one.
So risk check. I really like risk check. We've been having these conversations a lot with our current partners, especially those who have quite a bit of ecommerce merchants.
But to summarize risk check, we wanna identify a baseline of where your ecommerce merchant's risk is. And then from that baseline, we can identify if, hey. This website looks like they probably have been breached or could be breached so that we can take a closer look and identify from a a series of manual efforts as well as script efforts going through that checkout process, if they actually are breached and currently sending credit card data to a known bad actor. But it does give, our partners peace of mind knowing that, hey, we can scan our entire portfolio with a risk check of our ecommerce merchants to identify which ones really have those risks and vulnerabilities that we need to identify and help, especially with some of these new four dot o requirements.
Right. And then step into this new inspected piece. Right? So we've got we've got a nice easy step, do risk check, and then identify those that really need that next step, which is inspect. Correct.
So why choose security metrics?
I mean, we are one of only a handful of companies that do everything in the world of PCI. Right?
And so we we can do p a DSS SSF, assessments. We do p two p e assessments, pin assessments.
We're forensic investigators, so we can do the forensic invest investigating.
We do ASV scanning. We do penetration testing. So we do it all. I mean, it's one stop. Pick it up and go. Right? We're the we're the Costco of PCI security.
So what I always tell people is that we we're not just another vendor. We wanna have a true partnership. So our experience and expertise with all of those fancy acronyms you'll see on the PCI council's website has really formed and shaped our company. Yes, we do PCI compliance, but that's not necessarily who we are.
Right. I would say we're a security company that also does compliance, whether it's HIPAA, PCI, GDPR, CCPA, acronyms go on and on. Right. But we have so much experience, especially from those forensic investigations or having a team of thirty plus, QSAs, where we can really identify an entire partner's security needs and goals regardless if they have level one, two, three, and four merchants, or maybe need some of their own internal systems assessed or payment applications assessed.
And we have a lot of experience to to talk to merchant issues. So if you have a larger merchant in your portfolio that may need a little extra help or a little extra hand holding, we're not just gonna put them off. We'll we'll be your your expert and and real partner to help them dive into their issue.
Well, it it stands to reason to know we care, right? We really do. We really care. We don't want merchants to go through this process.
We don't want them to have a breach. We don't want it to disrupt their lives and, and their family's lives. That's not what we wanna do. And and as far as my team goes and and the way that security metrics, we want you to have an experience with the the CSMs that just feels like we're a part of your team.
Right? We wanna help you get through it. We wanna figure out problems. We wanna talk to you and work through those problems and come up with an ending that that makes good sense business wise and for everybody.
You know? We're looking for that.
And you give all of our partners your cell phone number so they can text your call anytime.
Anytime day or night.
You know? And and on the merchant side, we want your merchants to not feel like they went from you to us.
And there's this difference in customer, experience. Right. We want it to feel the same. We want it we want it we wanna be an extension of the same customer experience you give to your people on your side. We want them to have that same experience on our side.
Yeah. And we're not, we're not trying to reinvent the wheel. Right. We just want to take your existing processes.
Maybe tell you a little bit about what other folks are doing that are your peers or competitors, however you want to call it, and then make this as easy as possible for you to implement too. And we've heard so much like I don't have bandwidth. It's like, well, awesome. Let us do the heavy lifting and take rid of that bandwidth for you.
Absolutely. But send us your questions and myself or Scott or someone from one of our teams will reach out and help answer those for you. Happy to schedule a call, explore deeper. Whether you wanna use security metrics or not, no problem.
Happy to answer your questions to be a resource for you.
Or whether you currently use us and just have more questions, we're here to help. So we'd like to thank you for joining us on this webinar. We hope that you, get some information out of it that just makes your day and and makes things a little easier. Of course, we know you're gonna have questions. We'll be looking forward to getting those. We're gonna be sending out this recording so that you have it. And in that same email, we'll send you a link to the twenty twenty three PCI guide.
Thanks for joining us today, and hope to see you guys next time.
.svg)
