Watch to learn how to promote and simplify merchant compliance and benefits of outbound proactive merchant enrollment.
Having issues accessing the video above? Watch the video here.
PCI validation can be complex and confusing. To meet your program goals, increase and maintain merchant compliance, you may need a managed PCI partner.
With this in mind, we created this webinar, "What a Managed PCI Program Can Do For You," where we'll discuss benefits of a managed PCI program and pitfalls to avoid.
SecurityMetrics Director of Customer Success Scott Robinson will discusses:
This webinar was hosted on July 29th, 2021.
Good morning, everyone. Thank you for joining us for our webinar to this morning, what a managed PCI program can do for you. And this webinar will be presented by Scott Robinson.
He's the director of customer success here at SecurityMetrics.
Scott, can you tell us a little bit more about yourself?
Absolutely.
My name is Scott Robinson. I am the director of the customer success management team here at SecurityMetrics.
I have been with SecurityMetrics going on thirteen years.
I started on the phones helping merchants through the validation process. So I understand that process and the, the feelings that merchants have about the compliance process.
But for SecurityMetrics, I was an audio pathologist, so I help people with their hearing and hearing needs, which taught me a lot about bedside manner and, helping customers. And so I spent a lot of time doing that. I'm a father of five awesome children, a grandfather of eleven.
So I have lots of kids around me, so I understand, playing with kids.
I was a scout master for fourteen years. I'm a surfer, a skateboarder, a snowboarder, a snorkeler, a hiker, a camper, a gardener, and if you ask my wife, I'm just a little kid in a big body.
That is me in a much go.
Yeah. I love it. Scott's a great guy. We love him.
So without further ado, let's get this going. Shall we?
Fantastic. Thank you, Sarah.
Today we're gonna be talking about the managed PCI compliance.
It's a fully managed and simplified compliance product from SecurityMetrics.
Let's face it.
First of all, PCI is not fun.
We created the the managed PCI product to reduce frustration for both you and your merchants.
We want to free up some time for you and spend from spending all this time helping merchants and trying to guide them through PCI and to reduce your portfolio risk.
We understand that that this is a lot of information, and you're not all PCI professionals.
But that is what SecurityMetrics is here for. We're here to make your life a lot easier and also your merchant's life. We want to help them get through this process as best we can.
Next slide.
Unfortunately, most of your merchants aren't PCI experts, as I said, and neither are you. But this is where we come in. And so we are those experts. We wanna be really good at doing this. Our forensics team recently looked back over the years of data and found many merchants suffered breaches of that suffered a breach event had these contributing issues.
Merchants should have had a scan or a pen test, but never initiated. They didn't understand their their, systems. And so they they they thought, oh, if I don't have to do this, this will make it easier. But what it really did was stop the security.
And in this case, sixty two percent of them did not do what was needed to maintain their compliance and and get through this. Right? So they they ran into that problem. Even the basics like having an antivirus product, doing system updates on a regular basis, using unique credentials were ignored.
A lot of merchants still have these preset credentials that went in and never took them off, never changed them, which all it did was leave a door open because once someone figures out that you've you know, they they know these passwords that are preset, they just test everybody to see if they're using those passwords.
And one two three four five is not a great password.
And so they're ignoring the simple things that need to be done to help keep this from happening.
Next slide.
So what is preventing the merchant to become compliant?
It boils down to two main issues. One, knowledge of why.
Right? They don't understand that they think, oh, I'm a small merchant. No one's gonna come after me, but that's not true.
The the guys that are out there stealing credit card information, they don't care where they get it from. They don't care if they get it they'd love to get it in bulk, but if the big guys are making it harder for them to steal the credit card information, they're gonna go after the small guys that aren't knowledgeable enough about their systems and their environment to go after those and get what they can get. It's all in how it is. Right?
The old adage of find a penny, pick it up. Right? Every little penny you get adds up. You just gotta keep picking it up.
And so they're gonna pick it up from wherever they get it. And that's something that we get down to. So that knowledge is a big stopper for these guys. And time, especially a small merchant.
A small merchant's wearing fifteen hats. Right? They they wanna do their business. They wanna make their pizzas.
They wanna sell their clothing. They wanna get the money in the door because that's what provides for their family.
And that's where their time is consumed is running that business.
They're not understanding though the importance of what one breach can do to their business if it should occur.
So time is another big part of this that really makes it tough. So that knowledge of their credit card processing device, their network environment, what's expected of them to complete their PCI validation, they lack that. And that's where you come in, especially when it comes to, you know, what's expected of them, right? And the time they need to remove all those hats, that they wear as business owners and focus on the important part of reducing their risk and getting their assessment completed.
Next slide.
To help your merchants, with this new product, we're talking about going out and doing a very proactive outreach, not just emails, but outbound calls. Right? We want to scope them and set them up with the proper self assessment questionnaire. We want to complete the FAQ with them. Matter of fact, the option is, once we know what they need is, are you ready to get started, not go take a you know, our our normal process is to set them up, tell them how to log in to their their customer record, and go in and and start the process themselves, because many questions they could probably answer.
But we've said, hey, let's just start right now. If you have time, we have time. And so we'll ask them right then and there, are you ready to start your your questionnaire? Can we go through it with you right now?
If they say yes, then we're gonna start working on it. We're gonna start getting through the piece that they need. Right? If there's a scan involved, we're gonna set that scan up to run every quarter.
They're not gonna have to go in and push a button themselves.
It's just gonna run. Then they're gonna get notified if it passes or fails, and so that they know what they need to do to get through it. Probably the most important part of this whole process is some of the other products that we give that we give support to, and our support team is awesome. I cannot talk enough about our support team because our support team is there twenty four seven. Right?
They're always there. Even holidays, there is somebody there to help that merchant answer questions, get through things. Heaven forbid that they wanna do it on Christmas, but some do, and so we have some we have people there ready to answer their questions and get them through that piece.
But the idea is that we're there. There's always someone to answer. There's always someone to get through them.
Your part of this is very important. Matter of fact, probably the most important thing is to make sure that you have educated your merchant about the partnership for PCI, who you're working with, because today's merchants are really skeptical.
They think everything is phishing. I mean, absolutely everything is a phishing attempt.
And so when someone reaches out to them directly by a phone call or by an email and they don't know who you are, even though we say we're a partner of yours and we've been tasked to help you, they're weary. Right? They are we are not you, they are very weary of us. So it's really important that as you are getting ready to do your PCI or if you're already in the midst of your PCI, that you have a website that talks about PCI, the partnership that you have with your vendor, and your expectations about the validation of compliance for the merchant.
That that has to be there, and it has to be on the website, not behind a password, because most merchants don't remember their passwords all the time and so they don't tend to if they start to go there and can't remember it, then they gotta go find their password and then they forget to go in and go do what they need to do because they're frustrated they they don't remember their password. So, it's really important that that message is out there in a spot where they can get it. It should be in newsletters, if you have newsletters for your merchants. It should be in statement messages.
It should be a message that has repetition behind it, and that repetition is very, very, very important. They don't remember the first time, they will likely not remember it the second time, By the third time, they're gonna go, oh, I remember seeing something.
And then the more you do it, the more they go, okay, I know who these guys are.
Even for us, once they become enrolled and they get compliant and if they have only an SAQ, we aren't really gonna talk to them until it comes time for renewal.
And some merchants don't now who are you again? That's probably the most common thing I heard on the phones. Who are you again? And I had to explain to them that we did their PCI compliance last year, they had an SAQ, I had to give them a bunch of information to kinda get their brain thinking about it after I validated who they were to get them back up and running again. And so it's an interesting problem for the merchant because, like I said, their mind is in so many different places about their business.
PCI is not on the top of their list.
And I dare say even for your teens, it's you're probably wearing four or five hats as well, and PCI is likely the last hack you wanna worry about, but probably one that causes you the most angst and time of your day because you're getting merchants calling and complaining, and your reps are saying, hey, my merchant's upset, and we're gonna lose this guy, and then that starts off this whole conversation.
Next slide, please.
So our team of experts will help them through the process and from start to finish, that merchant, and help you through the process of reporting and understanding what you need and helping you when somebody says, hey. This we think this merchant's on the wrong SAQ. Alright. We're gonna go back and and rescope and find out where it went wrong.
Unfortunately, we can't see the merchant's information and their network. We don't we have to go off of what they tell us. So the questions we ask are very in-depth and we're looking to get that, but we have experts here. We're good at what we do.
We've been doing it a long time and we're ready to help merchants through it, and we can do it very, very easily. Becomes very personal, especially with the personal touch that we have on your side and our support team on the other side. They are very much, even when I call up to support, it's interesting. I'll call up to support and and say, hey.
I'm seeing this problem, or this merchant has an this issue. Can you tell me more about it so I can understand and and get back to our our our bank or our partner and let them know what's happening?
And every call ends with, is there anything else I can do for you? And I love it because it it isn't just an external thing, it's an internal thing. They're that awesome. So it's really, really good to to help go through this and make it happen.
Next slide, please.
So now we're talking about the, the outbound productive proactive enrollment. So like I said, we're we're gonna email merchants to try to start the conversation. If anybody has ever worked in a call center knows that, it's roughly six calls before a person is going to respond to that, even if you say, hey, this is this is something that we've been asked to do.
I know how I am when somebody calls me. I'm one of those guys that when I get a call out of the blue and I didn't initiate a call, and I hear the guy go, hey, this is Mary or the this is John. I've got a, I'm just calling to talk to you about your insurance.
Well, John, I didn't call you, so who are you? What insurance company? And and especially when they give me just their first name. First name alone tells me they're a salesman.
But if they say this is John Moore, I'm from State Farm, and I use State Farm, I know who I'm talking to now, and I'm willing to talk. Right? And so the more that they understand us on these calls, they know it's coming, that who we are makes all that difference on this. So we're very we're very good at reaching out and going after them.
We do a very good account validation. We wanna know we're talking to the right person.
And so that we don't get a mistake of calling somebody or somebody calling in and and getting into the wrong account and trying to find something different.
We have a tool that we use called FastPass, which is a fantastic tool. The tool was designed to get the merchant to the SAQ as quickly and efficiently as possible, and that's the correct SAQ.
And then try to pre answer as much of that SAQ as we can, either through your knowledge of the product or the developers of that product's knowledge. If we can get that information from them, then we try to prepopulate as much as possible.
And that's the same with our internal call people. We are trying to get them to the correct FAQ as quickly as possible. And FastPass also gives us the ability to to glean more information from them.
Education of the merchant is top of the list.
Educate, educate, educate. You can't do it enough and feel good about it. Matter of fact, when I was a team lead, the first thing we did after we found the merchant in the system, understood who they were, we were on their correct account, we've done the validation.
Our first question is, what do you know about PCI?
And even if they said, oh, I know about PCI.
Great. And you understand this about PCI. Right? We we would reframe it to them just because we wanted to make sure they truly understood PCI.
And so we're educating the merchant constantly about why they're doing this and what they're doing this for. And if I reviewed a call on my team, where the merchant at the very end said, now why am I doing this?
Then we immediately would go back and look at what was being said to make sure that we're not talking too quickly, we're focusing on the the important parts, we're listening for clues of understanding and lack of understanding, so that we can help that merchant and educate that merchant.
And then as we scope them, and we understand, you know, the whole idea behind the scope is to assess their security needs, determine what products need to fit so we can configure that product and then get them started in the process by teaching them how to log in or taking them, in this case, straight to, our support team to help them do that SAQ and get them started moving forward and going down that path.
Next slide.
So we have, like I said, that continuing merchant education happens all the time. We don't we don't waste time.
We're wanting to make sure that at enrollment, we're doing everything we can to help them get through this process, make sure that they understand why they're doing it. We wanna help them understand the products that they have, what those do for them, and get them down to that certification. We wanna make sure that we've got them understanding the importance of what they're doing and why they're doing it. It isn't a checkbox exercise.
Matter of fact, one of our partners we had a partner in the UK that would call us up and say, we see that this merchant had enrolled on Monday morning at eight o'clock, and by eight thirty, they had completed SAQD.
How did they do that, right?
They were very they they knew that an SAQD could take up to four hours with somebody who knows what they're doing, and knows all the information.
But for an average Joe to get through it in in thirty minutes, they're just checking boxes. They're not really keeping their eye on the security aspect of this whole thing and the protection of their business. And so that was something that was very important to them to understand that this was happening. And of course, we follow that up with notifications on threats, on on failures, on scans. If an SAQ is not completed, we're we're letting them know that it's not happening. We'll do that by email. For the managed PCI program, we're gonna follow those up with phone calls, including to the point where we get to recertification.
Right? Because we don't want them to fall out of compliance and we wanna keep it in the forefront. So we're gonna reach out to them early to say, hey, you're coming up to this point in this process, it's revalidation time.
Have you changed anything in your in your processing methods? Have you added a new device? Is there something that we don't know?
And gather that information, make the adjustments that are needed at that time, and then get them through those questionnaires so that they can stay on the compliance path and keep moving forward.
Next slide.
So we're our as your PCI experts, our goal is to reduce the time and effort that you are currently spending helping your merchants, and we're hoping to reduce the time and effort it takes for your merchants to get things done.
Our system has been set up we've done a lot of little things to our system to help make this easier. If any of you have looked at SAQC, you know that the very first question is firewall.
The average merchant isn't gonna know anything about this.
Ninety percent of them don't even have their own IT guy, especially in the that small merchant range. Right?
Their nephew came in and put the system together for them and then left for college, and they don't have anybody on retainer, and he doesn't answer his cell phone, or he says, ma, I'm in three states away, I can't even get to you. Right? And so, they don't know that question. They don't understand that question whatsoever.
Our team will talk them through it and help them find out what they need and do the best that we can. We're not sitting there, so we can't see all of them, but we're gonna point them in directions. We're gonna try to get those questions answered for them as quickly as we can. That way they know what to do, right?
And so we're working to do that on a constant basis. We want them to get through the process. We don't want them to have to struggle to do this. But that's what we're doing, is we're giving them an understanding of those questionnaire.
So instead of giving it in order of the hardest questions first, what we've created is something called easy order, where we present the SAQ to the merchant with the sections that are the easiest sections to complete.
And the reason we do that is because if that merchant opens up to question one on firewalls and can't answer it, he's likely not gonna call us. He's gonna call you, and he's gonna complain, and he's gonna gripe about the fact that you're making him do this. Right? And so, we've ordered the SAQ into an easy order. We give our our support team sat down, looked at all the data, and said, these are the sections that we help merchants with the most.
They're the worst ones. Right? And these are the easiest ones. These are the ones where the merchants go, oh, yeah.
I got that one. I know all this stuff. Right? And so we we worked it so that the order of the FAQ is presented from easiest to hardest.
And it does two things for us. One, it reduces the phone call to you and the angry merchant. Right? It's kinda like at school when you go and learn something.
You learn the easy step first. It's a step by step, precept on precept idea. Let's move with smaller steps until we build into the bigger step. You learn it.
I mean, in elementary school, we don't start out in geometry, we start out with addition and subtraction. It's just how it works. We build our confidence, we build our strengths, and so that we understand it better. We feel better as we move along, and we start going, oh, well, I answered that question, so I I can probably answer this question.
And then they keep working up that path. Right? And so that easy order SAQ was something that we did that made it so simple and reduced a lot of problems, and that was something we did after discussing things with our partners and figuring out what what we were all noticing about this issue. And so it's something that works.
But that's what we're here to do. We're we're here to reduce the merchants' issues. Right? We're trying to simplify this process.
Help them understand it, not simplify it to the point that they still don't understand what they're doing. That's why we're always educating, but simplify it enough that they have the knowledge, they know how to do it, we're presenting them with questions that they can work their way through a little easier, feel comfortable about it. Then when they get to the hard questions, they're more apt to hear us. They'll stop, they'll listen, they'll look at what's going on, and then they'll go, Oh, okay, I understand why you're needing this, and it makes sense to them. Next question.
In our next slide. Thank you.
So the managed PCI for our acquirers, you know, we're looking to reduce the number of escalations that are coming to you and scorecards that calls that you're currently handling, provide you with the management tools, our partner plus portal, where you can do get all your information, pull your reports, pull out certificates, everything is at your hands. You don't have to call us and say, could you email me their certificates? You can go in and get your certificates for your merchants if you need to. You can see their SAQ, you can see the answers that they've provided, you can get their attestation, you don't have to to tell the merchant, hey, can you email me that?
You can go and get it. And then you've got this team here that's looking to help you, right? And so, those two things make all the difference to the world. We want your reporting to look good, we want you to look good to your bosses.
That's one of the things we're trying to do as well, is make you shine and make the program be successful and look for potential revenue streams.
If there's a way to augment what's happening in the company for for doing PCI, let's augment it. Let's figure that out. Let's make sure that we're doing things that work for you.
Next slide.
We assign, you a customer success manager, that's my team. We'll bring you in, we'll do an implementation call, we'll talk about data and how the data works and what data we need to get the program started. We're gonna help you with communications so that we understand how the communications go out, how you'd like to see it work, what works. We have, you know, years of emailing customers. We know how this works and what works best, but it's also your communication campaign. So we wanna help with the verbiage and see what we can do to make it feel like you, look like you, have the merchant feel comfortable when they receive it, they don't just throw it in the trash and walk away.
We have the tools such as FastPass that make a difference and and, like I said, scoping that merchant and and finding out exactly what SAQ they need as quickly as possible with less chance of making a mistake and getting thrown into an SAQ that is very, very difficult to get through. FastPass also, interestingly enough, is a tool that you can use.
You can ask a question such as, have you thought about updating your product, your current product?
And if they say yes to that, we have something called touch points.
Touch points are set up so that when a merchant answers that question yes, somebody on your team gets an email that says this merchant said yes to this question. They're interested in upgrading. Now your reps can reach out and discuss making a change to their product, and that is a revenue generator. Right? And so we have people asking questions. Questions like, you know, are you are you interested in changing or updating your product? Are you interested in doing anything in ecommerce?
Are you, currently using another processor for part of your business?
We had several of those that question has been thrown to several fast passes. And it's amazing how many times they get, yes, I use multiple processors.
And so, they're able to go in and say, why? What are we not doing for you that we can't have that part of your business? Right? And so FastPass and TouchPoints together is very, very unique.
And and as far as I know, nobody's got that one but us. But it works and it works very, very well. And so there's lots of options with those two piece. And, of course, our partner plus portal can give you so much day more data than you need, actually.
People will start looking for data and figure out how that data works, and my team is there to help you with those reporting. We'll help you create them. We have a report scheduler so that you can schedule your report if it's something that you wanna pull every Monday. It'll run that report for you every Monday, and you can go in and pick it up and look at it, or you can email it to somebody, and that keeps that, makes it a little simpler for you, right?
We talked about freeing up your time, that's gonna free up your time, that's gonna let you go forward and do other things. And so it it is a fantastic portal and does a lot of awesome things to it.
Okay. Next slide.
So with compliance, when you have a fully managed PCI, compliance, we're helping with the questionnaires, the concerns, we're we're trying to help that merchant become compliant. Right? We're getting the questions answered, we're reducing their stress, and we're getting the compliant, and they're becoming happy with this process.
I can't say enough about that. There's something nice when when we use, NPS in the portal, we actually give you that so that you can see what merchants are saying about the process.
And most of the time, that is is about us, it's about that process, and some of them are good, some of them are bad, some of them are they hate PCI, but it's more of a general PCI thing, not so much the help that they receive from us. They just hate PCI.
Some of it's about you. They'll complain about fees and fines and and different things, or I'm calling, but I'm not getting any answers, and it turns out that they aren't calling us. They're trying to call your teams, and no one's answering the phone.
You see that within that NPR score that's in the portal. But But we're getting them happy. And once we get them happy, and they're secure, and we've reduced their risk, security is a very big part of it, right, they do much better. We don't have to worry about that breach protection. We don't wanna have to worry about them losing their job, you know, their their businesses, their revenue to their family and taking care of them. And and when they're compliant and they're secure and they're comfortable, they're going on vacation.
They're going places because they can step away knowing that they've got things handled. That's a big deal. And a part of that is also the security part of this. We have a threat intelligence center. We have, managed reports, breaches. We'll help them with we We have a whole team that does stuff that helps them understand what's going on. Or managed firewalls will let them know when somebody's attacking.
So there's there's other possible revenue there from these other pieces of security that we contain in our system. Our security based products help to secure the merchant's environment, and they can provide a revenue stream that's good for you. So that's something to think about.
Next question, or next slide.
Questions. Yeah. We're there. Next questions.
Thank you for that presentation, Scott.
Excellent job.
We're gonna take the next few minutes and just answer some of the questions that have come in and, so here we go.
I think you've kind of touched on this already, but what are some of the ways to get merchants to be more willing to participate in PCI compliance?
You know, it really comes down to the education to the merchant.
I know when I was in the hearing industry, people would come in and they'd say, you know, I my first question to them was, why are you here seeing me today?
And ninety nine percent of the time, they would say because my partner told me I had to be there. Right? They didn't wanna say I'm having a problem. They just said my partner said I had to be there. And I kind of equate that to your merchants. They're they're coming in because they said you had to do this and you're fining them. Right?
And so merchants aren't getting the message.
They're not getting the understanding that number one, the reason you're having them do compliance, yeah, yeah, you have to do it because the card brands are telling you to do it, and they're telling us to tell you to do it, but it's also about protecting that business.
You're really there protecting them. And they need to know that because as far as they're concerned, it's just a money grab. Right? That's how they view it.
You're charging me for this. I don't wanna do this. It's a money grab. And so, their view of it is is horrible.
But the more you talk with them, the more you explain why they need to do it, that you're protecting their business and their opportunity to make money and provide for their families, they start to grasp that. They get that this isn't just about money, you're caring about us. I had a I had an insurance company that I my daughter got into a wreck.
And I know that my insurance company was notified that my daughter got into a wreck and that my jeep was totaled, right, and just wiped it right out. And so, luckily, everybody in the car was safe, but I never heard from my insurance company.
I never heard from them. They never called to say, hey, how are you doing? They never called to say, is everything okay? They never checked to see what they could do to help me. I don't have that insurance company.
I walked away from it after thirty years of being my insurance company because one wreck caused me to stop and go, hey, you really don't care. Right? You didn't say anything to me, and then when I was battling the because the wreck wasn't my fault or my daughter's fault, it was the other person's fault. I had to battle to get what my jeep was worth, and that takes work, and they didn't help me.
So, I didn't have that, they're no longer my insurance company. Your merchants are feeling the same way. Matter of fact, the most common thing out of a merchant's mouth is, why am I doing this? Why isn't my bank doing this?
This is their tool.
So right off the bat, it tells me that the merchant isn't educated to the fact that this is about how they handle, store, and process credit card information.
It's about them having knowledge about what needs to happen with their systems and how to protect it. And so education. Educate, educate, educate. Can't say it enough. The more you tell them, the more they understand, the better they do.
Awesome. So, our next question, what does your managed PCI program reporting process look like?
So as far as that, we have inside the tool, we're gonna tell you who's who's enrolled with us either with managed PCI or without managed PCI. So you're gonna see the difference right off the bat of who's actually got into that, whether it's a part I should say, if the product is a part of your program, then they're all gonna be coming under managed PCI. If it's something you're allowing the merchants to decide whether or not they want, then you're gonna see both. And and we're gonna report it through the the console just like we always do. And so when a merchant gets enrolled, it's gonna update that console. You're gonna know immediately when they enrolled and and how they enrolled. You can query that information.
As scans run and pass and their compliance status changes, that's a live update. You'll find that console. You can query it. You can see it.
You can touch all of that pieces. And so but we're gonna break it out and get it down to the nuts and bolts of, you know, we'll get as as low as you wanna go as far as how detailed you wanna get, but it's all in that portal. And that's again where my team helps you. If there's something you're looking for, you're not quite sure how to find it, we're gonna teach you how to find it.
We're gonna go through and look at that and see, but it's Partner Plus portal is gonna become your best friend.
The portal allows you to also track your merchants' compliance.
If they're not even using us, you can go in there and fill out some fields and then track your entire compliance under one portal. So that is also a very nice feature. It's been used by all of our partners to track their compliance in one place instead of going to two and three places to get the information.
Thank you. Okay. Next question. How can you help me reach my goals as a PCI program manager?
Oh, great question. So one of the things we're doing, with all of our partnerships, the team we we've seen lots of different things. People have tried a lot of different things.
We know what works, what doesn't work. So when we start talking about communications and talking about ideas and plans, we really start looking back into things that worked and haven't worked. So we're talking about making changes all the time, whether it's verbiage to emails, whether it's the schedule of emails, how many you send a day, whether or not your your IVR tree at your your call in number points back to us because that would that will relieve a lot of your your calls into your business.
When the merchant calls in to talk to you and they they are if you're calling about PCI, press one. They press one and it shoots them right back to SecurityMetrics, then we can sit down and have that conversation. They start to realize, wait a minute. I called my bank's number and got to you, so I must have to do this. Right? And so we're looking for that all along the way.
I'm looking for people when they come in, especially when they say my goal is to get a hundred percent compliance, I always kind of chuckle about that because there's really never a hundred percent compliance just because of the complexity of the programs and the way compliance works. A merchant can fall out of compliance by a scan. Scans aren't every merchant isn't enrolled the same day, compliant the same day, so merchants are falling in and out of compliance along the way just based off a scan running and failing or a change in their SAQ answer or something. So a hundred percent compliance isn't something that I when I hear that, I just go, okay. Let's educate you on how this really works.
But when I hear people say, you know what? I'm really looking for this goal. In six months, I'd like to be at thirty, forty percent compliant. In nine months, I wanna be at sixty percent compliant.
Then I got something tangible and we sit down and say, okay, let's talk about your communication campaigns.
How often are we gonna be sending? How many merchants do you have? What's your call center like? Are we gonna be able to if you do get calls, and you will, how do we how do we try to mitigate that as much as we can to to get them to understand who we are and that this is a part of it. So we're looking at the education portion on your side and our side.
Are you doing leave behinds when you talk to a merchant? When you have your your new merchant start up packet, is there something in there that's dedicated to what PCI is, who you work with, why they need to do it, what's expected of them as far as getting compliant and timelines?
And and then, unfortunately, sometimes you need to have a stick to move. I don't know if you've ever played with a donkey. Have you ever played donkey basketball or seen that?
That is the most stubborn beast in the world, And everybody that comes on the top of the donkey knows that the donkey is not gonna do what you wanna do, it's gonna do what it wants to do.
And so and you throw a basketball into this whole thing and it turns into the one of the most hilarious things to sit and watch. But you do not get a donkey moving sometimes without a switch. There's just no way to get them going. You can you can make noises all you want. You can, you know, pull on the reins all you want.
You can climb off the donkey and and try to lead the donkey, and if that donkey is stubborn, he is not going to budge. That's just how a donkey is.
Merchants are much like that. They aren't gonna budge unless they know. So you you have to sometimes use that stick and that switch, and and it comes in the ways of non compliance fees. That's how most people do it, and those range in in anywhere from as low as five dollars a month that I've seen, as high as a hundred and fifty dollars a month in a graduated fashion, where they started out at fifty dollars a month. And then after six months or three months, if they weren't compliant, they went to seventy five dollars a month.
And so, I've seen it go all gambit. I've even had some of our partners talk about giving, instead of a punishment of a fee, they reduce their fee for processing if they become compliant. So now they're dangling the cube out there of sugar to say, hey, come get this, And if you do this, you get this cube of sugar, we're gonna drop how much we charge you for your processing method.
So we have some of our partners that are saying, we're charging a little higher fee at the beginning, and then saying, once you become compliant, we're gonna drop you to here. And so we we were seeing different things across the board, but we'll have that discussion as we get in there to see what we can do to help make this work. We want you to be successful.
We want you to shine. That's the whole idea behind this. If you look good, I look good. I like looking good.
Alright. So we have one more question.
As a manager of a compliance program, what's the one piece of advice you would have for me?
Oh, educate. Educate that merchant all day long, and, you know what? That that is. That's the biggest part of it, but the second part of that is usually when we when we have a new partner come on, we try to set up a weekly phone call. And the reason I set up the weekly phone call is I would rather stop any issue coming up before you've chewed on it for six months and then decided to tell me about it. Because we'll have partners that will say, oh, can I just call you when I need your help? By the time they call me, they are so frustrated because they they let something fester.
I would tell you, a regular weekly contact, especially right at the beginning of the program, is so important to make sure everybody's firing on the same line of thought, right? I wanna know and understand what it is that you're trying to accomplish with your program.
I want you to know that I know that.
I want to be able to ask you questions to make sure I'm on that same line with you.
And if an issue comes up, we squash it fast. It's okay to have a merchant complain, we just don't want them all complaining over and over and over again, so let's figure out that problem and fix it. It's the fail fast method. I'm a I'm a bit of a space nut. I watch everything about, SpaceX and their Starship flights.
That's one of my nightly little nightly routines before I turn off while I go to bed, is I'll watch any video that pops up about that.
The amazing thing about that program is that they have had every test in the beginning is a failure, but the idea behind it was fail fast and fix the problem.
And as he's progressed since I've watched started watching this, they have had more testing than NASA ever did.
They've had more failing than NASA ever did, but that's because of the test ratio, and they're getting more and more success than NASA ever did when it came to getting those machines to work the way they should have worked. I mean, you look at the first rocket flight, it blew up the week before they fired it off with a guy on board. That'd be pretty scary. Right? I want to do the same thing. Let's find out how things are going and keep that in our mind early.
Let's take hands and walk the path together. There's nothing worse than trying to walk a path by yourself.
Let's work this thing together. Let's figure it out. So a weekly call in the beginning, as a matter of fact, I'd love to see it. I have partners that have been with us for years and we still have that weekly call.
Sometimes they're long. Sometimes they're fifteen minutes of how you doing? Any problems? Nothing? Awesome. Is there anything we can do for you?
Nothing? Awesome. How's your family? How's your kids? How's, you know, your parents doing? We have those relationships because we talk.
I wanna make sure that we have that relationship, that we can talk about those issues. And having that weekly call is important.
That's what I would tell you to do. If you're not with us, you're with somebody else, have that weekly call. If you're with us and you've said, I'm gonna go to just once a month. Right? Or I'll call you. Get back to the weekly calls. You'll find that, yeah, they don't have to be long, but they'll make a difference, and we can talk about the things because you don't always remember between calls.
You you go weeks before having another call, you're gonna forget that you wanted to talk about redoing the email campaign verbiage, making a change, or changing how you wanna send them, or how to how to segment your groups so you send different groups different messages. You've thought about it, you maybe wrote yourself a note, but you never had the call to talk about it. And then you wonder why you didn't do it, right? So we wanna we wanna have those conversations, we wanna help you move forward.
That's my long winded answer.
With that excellent piece of advice, we're going to end today's webinar. And just to remind you all, we will be sending out a recording of this webinar to anyone that's registered.
And thank you so much for joining us today, and we hope you have a wonderful day. Thank you.
Thanks, everybody.
.svg)
