An outline for starting a successful PCI compliance validation program.
 |
| John Bartholomew SVP Technology |
The Payment Card Industry Data Security Standard is required of all entities that process, transmit, or store payment card data. Within the industry are varying threads of accountability for validating compliance. Validation is the act of providing evidence or attestation of compliance. An entity can claim to be PCI compliant, but validation of such requires additional activity.
SecurityMetrics began their first mass compliance program as a pilot program, with a card brand in 2004 (prior to the formation of the PCI Security Standards Council). The objective was to contact thousands of merchants, ask them some security-related questions, then perform vulnerability scans against their public-facing internet connections; this is still the essence of mass PCI compliance programs today.
Over the years, SecurityMetrics has learned what works and what doesn’t work for large-scale PCI compliance programs. This article is intended to share those lessons, and help you leverage the key principles of success that have guided our efforts and allowed us to help our partners attain merchant PCI-compliance rates as high as 95%.Focus on success from the beginning
Naturally, merchants are focused on their businesses, and often see PCI DSS compliance as an extra hassle on top of their already long list of responsibilities. They may even feel that because a vendor sold them their payment solution, the vendor should cover PCI compliance. Getting affiliated merchants on board can start to seem like an uphill battle.
Entities that are intent on succeeding with PCI validation for their affiliated merchants are willing to put in the effort required to see the project through to success. We work with some partners whose goals include 100% merchant compliance. We also work with partners on the other end of the spectrum. But, we've not seen an organization achieve substantial success without significant effort, the willingness to communicate challenging messages, or the willingness to enforce validation.
A note about executive support: SecurityMetrics’ experience with more than 100 organizations considering PCI programs demonstrates that the greatest challenge to a lofty PCI compliance validation goal is executive support. Executives are accountable for the financial success of your business. Without their participation and full support for attaining significant PCI validation success, your program is unlikely to get off the ground.
For purposes of discussion, we will assume that you have executive support and we will focus on the other principles needed to attain in excess of 90% compliance among an organization’s affiliated merchants.
Bring internal resources together
An organization attempting to pursue compliance validation among their affiliated merchants will need to bring various internal resources together to attain maximum compliance. There are five vital groups that need to be involved and on board:
- A PCI Validation Project management team: Someone needs to coordinate all the parts of the project, both small and large. Depending on the quantity of affiliated merchants to engage, and the specific components of your project, this can require multiple persons.
- Marketing: You will need to communicate your program to your affiliated merchants. Most organizations prefer to maintain their existing “character” of communications with these merchants. If you select a PCI vendor to assist with the project, they may have sample communication materials, but most organizations want to put their own messaging in all merchant communications.
- Legal: Your affiliated merchants may or may not have legal requirements based on your business relationship with them. Due to these legal issues, most merchant communications, and your program in general, may need your internal legal review.
- Sales & Support Staff: As you carry out a PCI program, many merchants will end up discussing this with one or more of your staff. It’s very important that your staff communicate appropriately and according to the agreed communication’s approach with your merchants. Above all, you want to make sure your staff are supportive of the PCI program with your merchants, and do to not instruct the merchants to ignore PCI validation.
- Executive Sponsor(s): After attaining executive sponsor support for your program, your executive sponsor should be fully aware your program, your approach, and the status throughout. Executive sponsors are normally the only ones that can assist to “stay the course” if there are challenges during the project. You need to keep them involved so they can remain supportive throughout the project.
Use PCI vendor resources
Appropriate PCI vendor resources can improve the overall experience of your merchants. You'll reduce their time and frustration in validating their compliance, increase the likelihood of true compliance, and reduce the chances of a "compliance-as-a-checklist" mentality.
There are also vendor resources available to the PCI validation program administrator, which will reduce the workload for your PCI staff, streamline project needs, and increase overall project success.
1. PCI Project Program Manager
Depending on your product size/scope and your selected PCI vendor, you may need a PCI program manager to guide you through coach you through your project preparations, and finalize any vendor-solution customizations for your project.
Depending on your product size/scope and your selected PCI vendor, you may need a PCI program manager to guide you through coach you through your project preparations, and finalize any vendor-solution customizations for your project.
2. Vendor Online PCI Tools (for merchants):
- Initial Entry Page/Portal: The initial page/portal should guide a merchant efficiently into the PCI validation process. Where possible, it should gain insight from the merchant to help simplify the eventual compliance validation process. An example of this is to include some questions that might help eliminate PCI requirements as being “Not Applicable” to a merchant’s environment (and then pre-answer these questions for the merchant). Some vendor solutions also include inquiries during this process which identify additional sales opportunities for your organization with merchants.
- Core PCI Validation Portal: Your PCI vendor’s PCI portal for merchants should:
- be easy to navigate,
- provide clarity of process,
- educate non-technical merchants sufficiently for them to oversee technical requirement fulfillment,
- provide solution options/recommendations to solve compliance requirements
- and make available explanations of benefits of the requirements (security practices).
3. Vendor Online PCI Project Tools (for your organization)
A collection of online resources should exist for you to adequately:
A collection of online resources should exist for you to adequately:
- Monitor overall project status, along with providing charts and graphs for reporting to your management.
- Track individual merchant activity, progress and compliance status.
- Allow ad-hoc project reporting and analysis of merchants’ collected validation and activity data.
- Facilitate project flexibility such as a phased project, a prioritized merchant approach, divisional groupings, etc.
4. Vendor Sales/Engagement TeamThe fastest, most accurate, and most customer-friendly approach to engaging a merchant into PCI is with a trained and pleasant human. Many PCI vendors offer the option of speaking with a human to begin the PCI validation process. This process increases the accuracy of PCI scoping, and reduces the initial education and scoping time per merchant.
5. Vendor Live Support
While online aids, education and FAQs are a benefit to merchants, many vendors provide human support for their PCI validation solutions. When this is performed well, it is the most efficient and customer friendly approach to helping merchants with challenges encountered as they work through compliance requirements.
While online aids, education and FAQs are a benefit to merchants, many vendors provide human support for their PCI validation solutions. When this is performed well, it is the most efficient and customer friendly approach to helping merchants with challenges encountered as they work through compliance requirements.
Use incentives wisely
Initial programs for PCI validation among small merchants had limited success. As all merchants have an interest in financial success, it was felt that a financial incentive would help. With the introduction of a monthly PCI non-compliance fee many programs saw greater success. Some fee programs were variable based on a merchant’s transaction volume. These had varying degrees of success depending on the fee being sufficient to gain the attention of the merchant.
When considering negative incentives, great care should be given to considering your market
position, governmental or regulatory complexities, and/or your organization’s desired customer satisfaction rating. With the goal of customer/merchant retention in mind, SecurityMetrics recommends any form of positive financial incentive that would be possible (i.e., a discount for a certain time period).
If negative financial incentives are considered, we recommend that they be accompanied by empathetic and frequent educational encouragement to the merchants. Additionally, if negative incentives are employed, great flexibility should be granted to your staff(support/sales) in dealing with customer complaints related to compliance and these fees in order to retain merchants who have had complications in validating their compliance.
Establish effective communication
Initial Communication:
All initial communications to merchants regarding a PCI program should begin in the same manner as your standard merchant communications. For many entities, this is a monthly merchant statement. Whatever your standard and official manner of communication is with your merchants, all PCI-related communications should follow suite.
Additionally, the merchant should have other methods to confirm the veracity of your program. A common method is to include web pages in your web site which explain your program and feature additional education materials.
It is crucial that all staff who interact with merchants (i.e., sales and support) be trained on the details of the PCI compliance validation program and be instructed on how to respond to merchants, PRIOR to any initial communications with merchants. This will avoid dissemination of contradictory information to your merchants regarding your program.