Watch to learn about the tools and help that are available to you as a SecurityMetrics partner.
Having issues accessing the video above? Watch the video here.
Scott has been working with customers for over two decades, and specifically with acquirers and merchants in the PCI DSS space for over ten years. He knows what makes a PCI program work and what makes it fail. Scott drives home the importance of defining your vision specifically as an acquirer, getting all parties on the same page, and understanding the tools and help that are available to you as a SecurityMetrics partner.
“At the end of the day, helping your merchants maintain their livelihoods, provide for their families, and enjoy their free time without worrying about a looming catastrophe feels good.”
This webinar was hosted on September 23, 2020, as part of SecurityMetrics Summit 2020.
Hello. My name is Scott Robinson. I'm the director of the customer success management team here at SecurityMetrics. I've been with SecurityMetrics for almost twelve years now and have more than forty one years of customer service and customer success management experience.
Today, I'd like to pass on what I've learned after eleven years of managing PCI programs.
One thing that gives me real satisfaction is that knowing our efforts in working with your customers ultimately result in fewer data breaches.
Helping your merchants maintain their livelihood, provide for their families, enjoy their free time without worrying about a looming catastrophe in their business feels good at the end of the day.
As we help customers improve their data security posture, quickly sealing up any compliance gaps, gives them the confidence to validate to the various standards that provide protection and that they're subject to.
When I began in SecurityMetrics, my belief was that all partners wanted the same thing, to increase security for their merchants.
Over time, I realized I'd forgotten the main proper the main priorities of all businesses, which are to increase revenue, decrease attrition, and increase customer loyalty.
These are always on our mind here at SecurityMetrics, which is why we have revenue share options. We try to make the PCI process as painless as possible, and we want your merchants to experience the same outstanding customer service that they receive from you and your team. It takes teamwork to achieve these objectives.
The three topics I'd like to discuss today are program objectives, education, and communication.
These three topics are the most important when it comes to a successful program.
Over the years, the reasons for a PCI program have ranged from we just need a program to we really care about our merchants, their business, and we want their to provide a great value through our PCI program.
Program objectives can run anywhere from we just wanna get the card brands off our backs to a clear cut merchant advantage with our PCI program.
What are your program objectives?
The most common objective we hear is we want a hundred percent compliance.
My reaction to this objective is it'll never happen.
It's not that your merchants won't become compliant, but because they don't all start their compliance on the same day and get compliant on the same day, it never will hit a hundred percent.
There are too many opportunities for a merchant to fall out of compliance.
They may change their processing method, which means they need to go through a rescope and reset up with a different SAQ.
The merchant may enter their SAQ and change an answer that would cause the SAQ to go from from compliant to a failing status.
A scan may run and fail, and it may take a couple of days for that merchant to rectify the issue.
One of our partners gave us that one objective and was surprised by my answer.
After we talked about the objective, we came to the conclusion that what he really wanted was to reduce their liability.
We came up with a plan, and that was to segregate segregate their merchants segment their merchants, sorry, by risk and focus on communication and outreach based on this risk segmentation.
Email campaigns were designed for each group, and a date was set for the for the start of the communications.
We started emailing the high risk merchants first and followed up with outbound calls.
We met weekly to make sure that we stayed on the plan. As the email campaign is completed for each group, we moved forward to the next group.
As the year was winding down, we discussed sending more emails to the final group to make sure that all merchants had received an email by October first, knowing that most businesses look forward to the last quarter of the year to fill in their revenue gaps.
Six months after we started the program, we had enrollment rate of ninety five percent and a compliance rate of ninety percent.
That was a success.
What are your program objectives?
Is it to have a program to keep the card brands off your back, reduce your liability, provide a value add to your merchants?
What are your key results for measuring success?
Setting your objectives early, communicating them to your PCI vendor's security customer success manager will ensure success.
You should always have a weekly call with your customer success manager to make sure that everyone's on the same page.
Issues will be discovered and discussed early before they become bigger problems.
The call helps to make sure that together, we are doing all we can to reach your objectives.
The SecurityMetrics customer success management team have been with SecurityMetrics on average of almost nine years, and they've helped many programs meet or exceed their program objectives.
I am confident that we can meet your objectives.
SecurityMetrics has an award winning support team that is available twenty four seven to help your merchants with any questions that they may have about completing their self assessment questionnaire or PCI scan.
They are the key to helping you decrease the numbers of calls to your PCI team and increase your program success.
Over the years, we have listened to our partners, looked at the data from our teams, listened to our merchants to find ways to improve and simplify the experience.
For our partners, we built Partner Plus Portal to provide you the best reporting tool available.
We created Masquerade to allow you a more hands on approach in helping your merchants.
We created FastPass, which is customizable to help your merchants get to the correct SAQ with as little chance of an error as possible.
It also gives you the ability to pre mark the SAQ based on your knowledge of their products.
You can also use FastPass as as a way to validate merchants using card brand validation options like tip.
FastPass can be used as a marketing tool. With the touchpoint options enabled, you can get an email when a merchant answers a specific marketing question in a specific way so that you can follow-up with the merchant.
We created easy order FAQ to build the merchant's confidence in starting the SAQ process, reducing the number of of frustrating calls from merchants to your team.
We also did simplified language for the merchant to get it into verbiage that they would understand.
Making sure that these objectives are agreed upon starting at the top with your executive team keeps everyone on the move forward, especially when restructures occur, when budget constraints are raised, or when resources get reallocated.
Setting realistic goals that stretch everyone help us stay focused and on the path.
Your customer success manager has experience.
Use them to create a program that's successful.
Ask questions.
If they don't have the answers, they know somebody that does.
Education is the real key here.
As an audio pathologist, I learned very quickly that nobody wants to believe they have a hearing loss, especially men.
They were quick to blame everyone else for their lack of understanding.
People talk to the wall instead of me. They mumble.
They whisper, or they talk too fast were some of the excuses I heard.
After I listened to my patients, I started to focus my discussions on educating them on how the auditory system worked.
Didn't stretch anything.
I didn't blow it out of proportion. I just gave them good information and an understanding of what was happening to them and why it was happening to them and what could be done to improve the quality of life.
When I came to SecurityMetrics, I applied I applied the same strategy.
Educate the merchant.
Don't scare them, and they'll take your hand and they'll walk down the path with you.
But this is not just about educating the merchant. It's also about educating your staff.
More education equals fewer complaints on both sides.
The biggest issue I've heard come from sales reps. If they don't understand why PCI compliant is important, they will never get behind the program. They will be your biggest complainers and cause of your stress.
Educate them. Help them understand that PCI compliance may help them put their merchant into a technology that decreases the merchant's PCI requirement and increases their revenue.
Anyone who could ever talk to a merchant should know the PCI basic basics. The name of the PCI vendor that you've partnered with, be able to point the merchant to the company's merchant PCI educational information, how to direct the merchant to a PCI vendor or internal PCI program team is important.
The second issue that most programs come into is that someone at the office has not heard about PCI or the vendor or the requirements that the merchant must be compliant.
An example, merchant speaks to the teller about an email that they've received. The teller says, that sounds like a scam to me. Don't respond to the email.
The merchant now is convinced that they don't need to do PCI, and your objectives have hit an obstacle.
Internal PCI training is so important that your customer success manager should be able to help you.
I prefer that we do this kind of training before you start your program and would be happy to do this training anytime you feel the need or have excessive turnover in in staff.
Educating your merchants about PCI is the next essential step. Your merchants need to understand that you care about them, you have their business welfare in mind, that you want them to be successful.
Your merchants need a basic understanding of PCI, what it is, why they need to become compliant, and who your PCI vendor is that they are will be working with.
Knowing what they can find information from their trusted source, which is you, is important.
Ongoing education is essential to the PCI requirements as as the PCI requirements change.
This education will ease your merchant's fear about the process and understand your expectations that you have for them to become PCI compliant.
You will hear less complaints from and experience less attrition in this process.
More PCI education equals less complaints.
Along with education about PCI comes the communications about your program.
Education and communication work hand in hand and are vital to a successful program.
You can never assume that your staff or your merchants know what to do when it comes to PCI compliance.
Communication keeps people from assuming.
Life, like like in life's relationships, when people assume, they usually assume incorrectly.
Communicate, communicate, communicate.
That's the key to maintaining a relationship.
There should always be some kind of PCI information in your employees' newsletters, at meetings, in places where your staff may take a break.
If you have an employee website, PCI should always be a talking point.
Dale Carnegie once said, tell the audience what you wanna say, say it, then tell them what you said again.
Repetition is the key to learning.
Staff churn could be one of the hardest issues to deal with, but if you keep the information in front of them and follow-up with trainings, it will be heard, understood, and recalled when needed.
Your communication campaigns are another step to educating your merchants and informing them about PCI, what is expected of them, and when it is expected of them that they start the process.
We suggest the first contact to your PCI program for current merchants should be in the form of a letter. When information comes on your letterhead, it's important.
The letter will likely be read.
For new merchants, a leave behind is a great start to having a conversation about PCI and that more information will be coming.
Following the letters and leave behinds are email campaigns.
The education of the merchants about PCI, your PCI vendor partnership, what your next steps are to be, discussion of risk consequences of noncompliance.
Your PCI vendor should be able to help you with this.
Don't be afraid to update your message when you have to your merchants. Freshen it up a little bit. Be more direct about your, expectations.
Make it feel like you care about them and their business.
Merchants are busy. They wear many hats at their business. PCI is going to feel like a disruption to their ultimate goal, making money.
They may not have read the one letter, and they'll likely skim through the first email, but they will or may read the next one or the next one or the next one.
Remember that when it comes to communication, repetition is key.
Statement inserts are a great way to keep the merchant, informed on PCI expectations.
Adding your vendor information to the non compliant next to the noncompliant fee will help merchant remember the letters and the emails that have been sent.
Your website should have, be a place that your merchant can go to to get PCI information as well.
This information should not be hidden behind a password or links. It should be upfront. If it's upfront, it's important.
The less difficult it is to get to the information, the more likely it will be consumed.
Your phone tree is a great way to communicate to your merchants about PCI.
If there's a PCI option on your IVR that points back to the PCI vendor, the question of validation becomes moot.
If your IVR should number should always be on every communication sent to the merchant, this will help reduce questions that you and your staff have to handle.
Your PCI vendor should be able to help you with with, your content needs for educating your merchant and your staff about PCI.
Here at SecurityMetrics, we have a marketing team that's been that has built an extensive library of PCI information in the form of white papers, videos, and blogs, and they're happy for our partners to use them.
Your customer success manager can help facilitate this if needed.
Here are the keys to successful email campaign. Remember, this is your program.
There therefore, it's your campaign.
That said, make sure that your emails feel and sound like you, but keep these five key pieces in place for success.
You've probably heard this quote before, but it's true.
At the end of the day, PCI compliance is about helping your merchants maintain and continue to grow their business.
When your merchant experiences a breach, customers complain, lose faith in the merchant's ability to keep their information secure and safe, and go elsewhere for products and services, which could end the merchants, which could end with the merchant closing their business.
It's not something we wanna see happen.
I'm happy to answer any questions that you may have.
Feel free to contact me at any time. Thank you.
.svg)
