3 Tips to Light a PCI Fire Under Your Merchants: Psychological keys to merchant motivation.
Managed PCI Program for Acquirers and ISOsStart Here
Why do merchants lack PCI DSS motivation?
Before we look into how to get your merchants on the PCI compliance fast track, let’s question why they lack motivation. Merchants have plenty of reasons not to be PCI DSS compliant, but these appear to be their main excuses:
- It’s a change from what they’re used to: People don’t hate change. They hate the chaos that comes with it. Moving from the way things are to an uncertain future means pain, new technology, uncertainty, fear, additional work, and changing responsibilities.
- It costs money: For L4 merchants, new security technology could end in massive expenditure. Why would they spend more money for something (they mistakenly believe) will make virtually no difference?
- They don’t have time: Maintaining data security takes time away from actually selling and interacting with customers. Merchants are busy and push PCI DSS off for “more important tasks.”
- They don’t understand PCI requirements: The PCI DSS is extremely technical, especially for merchants with no previous technical education. If a merchant doesn’t understand it, they won’t do it.
Three successful ways to motivate merchants
As you dive deeper into why merchants don’t comply, take a step back and realize your merchants are human. Psychology teaches of a handful of basic emotions that motivate humans.
Take a look at three emotions that apply to the merchant PCI DSS motivation situation, and how you can use them to get merchants excited about PCI DSS.
SEE ALSO: 5 Simple Ways to Get PCI Compliant
A feeling of true safety only happens if you feel free from emotional or physical harm. Merchants feel safe if they know their business will turn a profit year after year.
Think about PCI DSS from a merchant’s perspective. If a merchant has had an account with you for 16 years, and all of a sudden you force them into PCI compliance, that doesn’t exactly create a feeling of safety.
Lack of communication promotes uncertainty, which breeds fear. Take the time to educate just how devastating security breaches are and why L4 merchants are targeted by criminals. Share the security benefits of PCI DSS compliance.
Marketing PCI as a security blanket instead of a must-do will help merchants feel like the standard is protecting their business and profits. If you can explain how you’ll minimize the chaos and dial down the intensity of the change from non-compliant to compliant, you’ll have greater success convincing merchants to care about the PCI DSS.
For greatest success, over-communicate. Clarify new roles and responsibilities, show them what they are accountable for, and explain any new policies. Send emails, use social media, upload new security information on your website, and host monthly security webinars. Introduce educational PCI videos into new merchant onboarding processes to set the stage for your expectations.
Some human behavior is motivated by a desire for reinforcement or incentives. Understand that not all incentives are created equal. Whether the carrot is a prize, money, or recognition, this approach will take a bit of testing to see what your merchants respond to.
Instead of imposing more and more fines (fear approach), introduce positive reinforcement, maybe by reducing annual compliance fees as a reward for compliant merchants. Each portfolio is different; but with careful thinking about merchant motivation, you may find innovative ways to motivate your merchants.
Some acquirers successfully layer benefits in with a merchant’s overall PCI compliance strategy. For example, you could promise eligibility for protection from fines and fees with a card data breach protection program once a merchant is compliant. Breach protection programs can cover all merchant costs relating to a card data compromise up to a financial limit. This also helps create goodwill and appeals to the safety/pain avoidance motivation.
Fear of failure/consequences
Nothing makes humans more uncomfortable than fear. We hate missing opportunities, being punished, or not being accepted. I recommend using fear as a last resort when encouraging merchant compliance.
Sometimes just the threat of a noncompliance fee will jumpstart portfolio compliance, but you’ll always encounter merchants who won’t care, or who remain ignorant. The good news is all merchants have breaking points. You might consider implementing a regular schedule that increases noncompliance fees on some interval for stubborn merchants. Eventually, they’ll do what is necessary to stop receiving those fines.
Understand that the fear methodology may result in more attrition than other methods, but it’s definitely effective for getting merchants PCI compliant. It will also reduce the risk of card data breaches in your portfolio.
SEE ALSO: How Much Does a Data Breach Cost Your Organization?
Getting your merchants compliant
No two portfolios are the same, which means you should micro-test these theories and suggestions to see what motivates your particular portfolio. No matter which method you choose to motivate your merchants, don’t forget the power of education. If merchants simply understood the power of true data security and the reasons behind the PCI DSS, they might feel differently about spending time implementing it.
It’s time to take an active role in your L4 merchant compliance, especially now that their compliance directly affects your relationship with Visa. I am hopeful these changes will finally help small merchants get on track with data security who otherwise may be unknowingly compromised, suffering life-changing consequences.