BLOG HOME > PCI > Increasing Satisfaction in PCI DSS Programs: A Message for Acquirers and ISOs

Increasing Satisfaction in PCI DSS Programs: A Message for Acquirers and ISOs

Your priorities are our priorities 

When it comes to PCI Programs, the best satisfaction for me comes from knowing that our efforts in working with your customers result in fewer data breaches. We help your merchants maintain peace of mind about their livelihood without the looming threat of a catastrophe. 

Get Started with PCI Compliance

Start Here

As part of these efforts, we aim to improve merchants’ security posture and close compliance gaps. We help merchants have the confidence to validate various security standards that provide protection and compliance. 

When I began working in PCI Compliance, my belief was that all partners wanted the same thing: to increase security for their merchants. Over time. I realized I’d forgotten the main priorities of all businesses, which are to:

  • Increase revenue

  • Decrease attrition

  • Increase customer loyalty

These priorities are always on our mind at SecurityMetrics. We have revenue share options, we work to make the PCI DSS compliance process as painless as possible, and we want your merchants to experience the same outstanding customer service that they receive from your teams. 

Elements of a successful PCI Program

The three most important elements of a successful PCI Program are: 

  • Defining program objectives

  • Educating merchants

  • Communication

Defining program objectives

The reasons acquirers need PCI programs can vary. Program objectives can range from simply needing to satisfy card brand requirements to wanting to give merchants a clear-cut advantage. The most common objective we hear is the desire for 100% portfolio compliance. 

My reaction to this objective is, “it will never happen.” It’s not that your merchants won’t become compliant, but because they don’t all start their compliance on the same day or get compliant on the same day, compliance will never reach 100%. 

Merchants may change their processing method–which means they need to go through a re-scope and a re-setup with a different SAQ. Or, the merchant may change an SAQ answer that will cause them to go from a passing to a failing status. There are also too many opportunities for a merchant to fall out of compliance to believe that 100% compliance is ever possible. 

When one partner gave me the objective of 100% compliance, they were surprised by my answer. After we talked about the objective, we came to the conclusion that what they really wanted was to reduce their liability. We came up with a plan to segment their merchants by risk and then customize communication and outreach based on this risk segmentation. 

Email campaigns were designed for each group. High-risk merchants were emailed first, followed by outbound calls. As the year was winding down, we discussed sending more emails to make sure that all merchants had received an email by October 1, knowing that most businesses look forward to the last quarter of the year to fill in their revenue gaps. Six months after we started the program, we had an enrollment rate of 85% and a compliance rate of 90%. 

So, what are your program objectives? Do you want to get the card brands off your back? Reduce your liability? What are your key results for measuring success? Set your objectives early and communicate them to your Customer Success Manager (CSM). You will have a weekly call with your CSM where issues will be discovered before they become bigger problems. 

Individual SecurityMetrics Customer Success Managers have been with SecurityMetrics for an average of around nine years. They’ve helped many programs meet or exceed their program objectives. SecurityMetrics also has an award-winning support team that is available 24/7 to help your merchants with any questions they may have about completing the self-assessment questionnaire (SAQ) or self scan. 

  • Customer Success Managers want to help you decrease the number of calls to your PCI team and increase your program success. Over the years, we have listened to our partners, analyzed data from our teams, and reached out to merchants to define ways to improve and simplify the experience:

  • For our partners, we built the Partner + Portal, which includes ways to give you a more hands-on approach to helping your merchants. 

  • FastPass was created as a customizable system that helps merchants get to the correct SAQ with as little chance of error as possible. FastPass also gives you the ability to pre-mark SAQ responses based on your knowledge of your merchants’ products. Additionally, It can be used as a way to validate merchants using card brand validation options like TIP, and serves as a marketing tool so you can be alerted when a merchant answers a specific question a certain way. 

  • We created Easy-Order SAQs to build merchants’ confidence when starting the SAQ process, reducing the number of frustrating calls from merchants to your team. 

  • We also included simplified language so merchants can understand what is being asked. 

Make sure that PCI Program objectives are agreed upon, starting with your executive team. This will help keep everyone moving forward, especially when restructuring occurs or resources get reallocated. 

Setting realistic goals that stretch everyone will also help us stay focused on your objectives. Your Customer Success Manager has experience. Ask questions. If they don’t have the answers, they know someone that does. 

Education

As an Audioprosthologist, I learned quickly that no one wants to believe they have hearing loss. People are quick to blame everyone else for their lack of understanding. After listening to my patients, I educated them on how the auditory system worked, giving them good information and an understanding of what was happening to them and why it was happening. We then discussed what could be done to improve their quality of life.

When I came to SecurityMetrics, I applied the same strategy. Educate the merchant–don’t scare them–and they’ll walk down the path with you. But this is not just about educating the merchant, it’s also about educating your staff. More education equals fewer complaints on both sides. 

The biggest issue I’ve heard from sales reps is that they don’t understand why PCI compliance is important. Because they don't understand it, they don't express the importance of PCI compliance to the merchants and then merchants never realize the value of the program either. In order to convince their merchant of a technology that decreases their PCI compliance requirements and increases their revenue, they need to know PCI basics and be able to point the merchant to your PCI educational information.  

The second issue we find is that people haven’t heard about PCI or the PCI vendor. For example, a merchant speaks to a teller about an email that they’ve received. The teller says it sounds like a scam and advises the merchant not to respond to the email. The merchant is now convinced that they don’t need to do PCI and you are facing even more obstacles. Internal PCI training is so important. It is preferable to do this kind of training before you start your program.

Educating your merchants about PCI DSS compliance is the next essential step. Your merchants need to understand that you have their business success in mind and that PCI DSS compliance will help them achieve that success. Merchants need a basic understanding of PCI DSS compliance, why they need to become compliant, and who the PCI vendor is that they will be working with. Knowing that they can get information from their trusted source (you) is important. 

Ongoing education is essential to PCI DSS requirements as PCI DSS requirements change. This education will ease your merchants' fear about the process and increase their understanding about your expectations for them to become PCI DSS compliant. You will hear less complaints and experience less attrition in this process. 

More PCI education equals more compliance. 

Communication

Education and communication work hand and hand; they are vital to a successful PCI program. You can never assume that your staff or your merchants know what to do when it comes to PCI compliance. Communication keeps people from assuming. Communication is the key to maintaining a relationship. 

There should always be some kind of PCI information in your employees’ newsletters and in places where your staff may take a break. If you have an employee website, PCI should always be a talking point. 

Dale Carnegie once said, “tell the audience what you want to say, say it, then tell them what you said again.” Repetition is the key to learning. If you keep the information in front of staff and then follow up with training, the information will be heard, understood, and recalled when needed. 

The following list includes elements that should be a part of your communication campaign:

  • Letters

  • Merchant newsletters

  • Statement inserts

  • Leave-behinds 

  • Website

  • Phone tree

  • Vendor campaigns 

Your communication campaigns are another step to educating your merchants about PCI. What is expected of them and when it is expected of them will start to resonate. We suggest the first contact about your PCI program for current merchants should be in the form of a letter. When information comes on your letterhead, it’s more likely to be read. For new merchants, a leave-behind is a great start and will let them know that more information will follow.

Following the letters and leave-behinds are email campaigns. They educate the merchants about PCI, your PCI vendor partnership, what your next steps should be, discussion of risk, and consequences of noncompliance. Your PCI vendor should be able to help you with this. 

Don’t be afraid to update your message to your merchants. Freshen it up a little bit. Be more direct about your expectations, make it feel like you care about them and their business. Merchants are busy and. PCI is going to feel like a disruption to their ultimate goal: making money. They’ll likely skim through the next letter, but their consistency with reading future emails may dwindle.  

Remember that when it comes to communication, repetition is key. Statement inserts are a great way to keep the merchant informed on PCI expectations. Adding your vendor information to the non-compliant fee will help merchants remember the letters and emails that have been sent. 

Your website should be a place your merchants can go to get PCI information as well. This information should not be behind a password. The easier it is to get to information, the more likely it will be consumed. Your IVR number should always be on every communication sent to the merchant. This will help reduce questions that you and your staff have to handle. 

Your PCI vendors should be able to help you with content needs for educating your merchant and your staff about PCI. Here at SecurityMetrics, we have a marketing team that has built an extensive library that includes white papers, webinars, and blogs, and they are happy for our partners to use them. Your Customer Success Manager will help facilitate this if needed. 

Keys to a successful email campaign

Remember, this is your PCI program. Therefore, it’s your campaign. Make sure that your emails feel and sound like you but keep these 5 key components in place for success:

  • Simple introduction

  • Non-compliance risks

  • Clear “do this” text

  • Action or deadline date

  • Repeat  

At the end of the day, PCI compliance is about helping your merchants reduce risk and grow their business. 

When merchants experience a breach it can result in customer complaints and loss of faith. Customers may turn elsewhere for products and services. This could lead to merchants closing their businesses. It’s not something we want to see happen. 

For more information about PCI programs or to request a quote, visit this page. 


By: Scott Robinson, Director, Program Management, Accounts Management