As an Acquirer or ISO, if you're in the market for a PCI Program, you may feel like there are limited options, especially since many of the PCI program providers have consolidated into one option, VikingCloud.
The good news is that there are still options for you. This blog is designed to help you ask the right questions about PCI programs and compare your options in the PCI program market to make sure you’re spending your money on the best possible option for your organization.
*Also, it’s important to realize the author of this post is SecurityMetrics. We think we’re pretty good (okay, okay, the best) at PCI compliance
What is a PCI Program?
A PCI program is a system that acquirers use to keep track of their merchants PCI compliance, and for merchants to receive the training and tools they need to achieve PCI compliance and remain PCI compliant.
What makes a good PCI Program?
A good PCI program will make PCI compliance easier for merchants and acquirers. If a PCI program is easy for acquirers, but unhelpful for merchants, then the PCI program isn’t going to be helpful in the long run. This is why simplicity for acquirers and merchants should be a top priority when looking for a PCI program.
A PCI program should have excellent technical support. If acquirers and merchants know that they can easily get the technical support they need, they will be more likely to reach out when they run into issues with PCI compliance.
In addition to supporting merchants, a quality PCI program ensures that you, as the manager of the program, also get excellent 1:1 support, consulting, and training.
Another indicator of a high-quality PCI program is the available products that help merchants implement requirements, not only validate compliance. This not only helps the merchants with their compliance, but also increases security and can provide a revenue option for acquirers.
Finally, a good PCI program should have a process in place to not only assist level 1 and 2 merchants with security assessments, but also be able to report that progress to the acquirer. This of course is in addition to level 3 and 4 self-assessing merchant compliance reporting.
Ensuring that your PCI program has each of these options will significantly decrease the frustrations of merchants and acquirers.
What are frustrations with PCI Programs?
Since there are two different entities who use PCI programs, it’s important to understand the frustrations of acquirers and merchants. This way you can choose a PCI program that will benefit both groups and increase the likelihood that all parties will be compliant.
The time it takes to become PCI compliant
Lack of skill or expertise to become PCI compliant
Confusion about who is responsible for PCI compliance
Escalations from merchants who are frustrated with compliance
Lack of communication and support for their internal teams’ staff
The ability to easily pull reports across multiple merchants
Now that you have some background on what to look for in a PCI program, let’s get into questions to ask when comparing PCI programs.
SecurityMetrics vs. Other PCI Program Providers
Simplicity is an essential component to a successful PCI program because complexity can be a barrier to merchants becoming PCI compliant. Remember, the ultimate goal of a PCI program is to help merchants become compliant to avoid breaches, fees, lawsuits, and even the closure of a business while maintaining customer trust and loyalty. Making it easier and more valuable for merchants to be PCI compliant than taking the risk of a data breach should be a top priority when choosing a PCI program.
Here are some questions you can ask to find out whether the PCI program will be simple:
Do acquirers have the ability to pre-populate and answer questions for merchants?
Does the program offer a straightforward SAQ process, one that simplifies language and provides further guidance than the regular standard?
Does the program simplify a merchant's reporting if they have multiple methods of processing? (e.g., combining SAQs)
Is there an easy way to keep track of merchant compliance?
Is there a way to ask merchants custom questions to easily get more insight into how the merchant is operating their business? (i.e., find more opportunities to help them)
Is there an easy way to access and pull progress reports?
Is there a way for merchants to have a clear and comprehensive view of their data security and compliance, and additional products needed to fulfill requirements?
Is there a way to know how satisfied my merchants are with their compliance program?
Will this PCI program handle L1 and L2 merchants in addition to L4 merchants?
One of SecurityMetrics features in their PCI program is FastPass, a service that reduces questions and pre-fills in answers based on what payment technology a merchant may be using.
Additionally, with SecurityMetrics’ PCI program, acquirers can track their merchants’ compliance in one place and can report on over 100 fields of data. This gives you the option to stay shallow or drill down deep. It's up to you and your needs.
SecurityMetrics makes PCI compliance simple for acquirers and merchants by offering a full service team of experts (QSA, ASV, PFI, SSF) that allows them to help their partners with all levels of merchants and service providers.
We’re a managed Security provider with over 20 years of data security experience and PCI certified
Qualified PIN Assessor (QPA)
Qualified P2PE Assessor (P2PE QSA)
Qualified P2PE Application Assessor (P2PE PA-QSA)
Approved Scanning Vendor (ASV)
Qualified Payment Application Assessor (PA-QSA)
Qualified Security Assessor (QSA)
Certified Forensic Investigator (PFI)
SecurityMetrics also has a streamlined way to care for L1 and L2 merchants that is similar to L4 merchants, as well as a way to report information to them.
If you recall the most common frustrations of merchants and acquirers, you’ll notice that a large majority of these frustrations can be eliminated through a simple program and quality support.
If a company has lackluster support, some merchants may choose to deal with the risk or consequences of a data breach rather than deal with the annoyance of poor support. On the other hand, if a PCI program offers quality support, it will become worthwhile to merchants to avoid the risk and consequences of a data breach and maintain their PCI compliance.
When a merchant needs help, at the bare minimum they should be able to get in contact with support through the phone, email, or a live chat.
Here are some questions you should ask about the support in the PCI program:
Do you offer technical support in addition to help desk level support?
How difficult is it to get in contact with support?
What are the support hours?
What is the average speed to answer?
What are the options for contacting support (e.g., phone, email, live chat)?
What are the qualifications or the expertise level of the support team?
What other additional resources are available to support me through PCI compliance?
SecurityMetrics offers award-winning support. SecurityMetrics support agents are available 24/7, along with live chat, email support, and a self-serve merchant portal. Merchant calls are answered in less than 15 seconds, on average.
Each of the support agents is a qualified expert who can help you with your questions and concerns.
However, a quality PCI program will also offer PCI education and training so that merchants and acquirers can find their own answers and solutions as well. SecurityMetrics has robust educational resources for their clients that include webinars, blogs, podcasts, a free security academy, and training options.
There are many factors to consider when purchasing security. Here are some questions to consider as you decide which PCI program to invest in.
Perhaps the most important question to ask is “what do I want out of a PCI program?” If you’re looking for a high-quality program that will help merchants achieve and maintain compliance in the simplest way possible, it will cost you more than a program that is selling mediocre support and resources. Other questions are also important:
What is my budget for a PCI program?
What is my objective for purchasing the PCI program and how will that factor into my cost?
What products am I getting with the PCI program?
Are there revenue options and what is the quality of those revenue options?
If you are looking for the cheapest option, other providers may come at a minimal cost.
But if you're looking for premium support, products, and services SecurityMetrics is the best choice.
Not to mention that SecurityMetrics offers additional products that can increase your revenue and add value to your merchants, such as:
SecurityMetrics Vision to scan for internal vulnerabilities and provide log management
Security Awareness and PCI Security Training available for a range of businesses and employee roles
Security Policy Templates to help meet security policy requirements
SecurityMetrics Pulse to fill in the security gaps for merchants with a managed security team
Antivirus Essentials to protect against malware and receive 24/7 support to manage and set up your antivirus software.
So, which PCI Program is right for you?
While some PCI programs are attractive because of their low cost, they may ultimately not help acquirers and merchants with their goal of becoming PCI compliant.
SecurityMetrics offers a high-quality, more robust program because their objective is to get all merchants to achieve and maintain PCI compliance. Currently, 93.6% of SecurityMetrics customers that started their SAQ have achieved a passing status within an average of 20.33 days.
If you decide that SecurityMetrics is the best solution for you and your company, you can get more detailed information about their PCI Programs here.