By: Kelly Rodriguez
PCI Program Manager at SecurityMetrics
Tips for PCI DSS Program Success
One of the major goals of a SecurityMetrics PCI Program is to close data security and compliance gaps and avoid data breaches. PCI DSS compliance is not only a great tool for protecting payment data, but overall data security.
PCI compliance is a great tool not only for fulfilling industry requirements, but for overall data security. PCI compliance is not just a checkbox exercise. Much of data security compliance is action oriented, e.g., making sure that networks are segmented or that you’re not sending credit card information over email.
There are 5 different areas that we’re going to be reviewing:
- Goal setting
- Ongoing education
- Making PCI easy
- Leveraging your PCI vendor
Closing security gaps to prevent merchant data breaches should be the overarching goal of a PCI Program. When we think of data breaches, we often think of the big corporations we see in the news. But most data breaches are experienced by small merchants. If merchants are not PCI DSS compliant, they are much more likely to experience a breach.
Fallout after a data breach can be very expensive. On average, the data breach response process costs $35,000. For any mom and pop, that may be enough to close their doors. An additional repercussion is the damage to reputation that can ensue.
For these reasons, PCI Programs should not be run with a “checkbox” mentality. Make sure you have these five elements in your PCI Programs to avoid this problem:
PCI Program communication
Let the merchant know about the partnership in the following ways:
- Ensure PCI compliance is part of the sign-up process
- Include PCI vendor contact information
- Provide step-by-step instructions on how to complete compliance
Continual outreach will help make the importance of PCI compliance a part of their mindset.
There are several ways to let your merchant know about your partnership. You want to ensure that the merchant knows about PCI DSS requirements as well as their PCI vendor when they first start their merchant processing. They should know that PCI DSS compliance is an obligation and should have easy access to their PCI vendor information.
When merchants don’t know who their PCI vendor is, they may call the acquirer believing that someone is trying to scam them or steal their information. It’s important that you help the merchant understand that there is a partnership in place to help them comply with PCI DSS and avoid a data breach.
Regular email campaigns have shown to be very important in the success of a PCI Program compliance program. There are three basic types of merchant campaigns:
- Unenroll Campaigns: This is to help merchants that have not started PCI get started.
- Currently Failing Compliance: Merchants may think they have checked the boxes on their SAQ and are done with compliance, but maybe they forgot a section or haven’t signed. This campaign is to remind them to finish their SAQ.
- Soon to be Expired: This will help the merchant know 30-60 days before their SAQ is expired to expect that they will need to renew their compliance.
Goal setting for PCI compliance numbers
Include the following when determining Program goals:
- Desired overall enrolled and compliance numbers
- Realistic timeframes
We want to understand how many merchants you want to enroll and how many you hope will be compliant. There may be a specific number you need to reach to avoid a fine. Many acquirers hope to have 100% portfolio compliance, but it’s not necessarily feasible to do that. It’s good to break compliance down into small percentage goals and attack in steps.
Some acquirers have already moved past initial compliance percentage goals and would like to reach a bigger goal. Time frames should be set realistically. If you want 100% compliance next month, that would be unrealistic. We will work together to create realistic goals so we can move forward. Consider your other compliance goals. Do you hope to help merchants truly understand data security and compliance? This will influence what you need to cover in your campaigns.
Determining who is in charge of PCI compliance at your organization is key to reaching your goals. Is it the merchant? The processor/bank? Both?
Some SecurityMetrics partners like to drive the compliance train. For these partnerships, the acquirer reaches out, makes phone calls, and has personal interaction with their merchants. We provide the tools they need to run PCI Programs, but they take care of the communication.
On the other end of the spectrum are partnerships in which SecurityMetrics takes care of most of the communication.
Do you want us to reach out to the merchant? Or do you want the merchant to reach out to us? Or are you going to reach out to the merchant? These are the important questions to answer when setting your PCI Program goals.
But, at the end of the day, the responsibility for data breaches lies with the merchant. This means that the merchant will always be in charge of their compliance.
Ongoing PCI DSS education for merchants
Education for merchants should begin when they first start processing. We want to be upfront about what could happen if they don’t comply with the PCI DSS and educate them on how to become compliant.
If a merchant is facing noncompliance fees, it’s important to educate them on why, and provide a path back to their PCI vendor.
Many acquirers do monthly or weekly newsletters. SecurityMetrics provides monthly educational seminars, educational systems, and various programs to help educate merchants about PCI compliance and data security. Merchant understanding will increase compliance numbers and that often has to start with the basics, e.g., what the PCI DSS is.
When the PCI Security Standards Council (PCI SSC) releases new information, SecurityMetrics will notify the partner so they can educate their merchants.
Make PCI DSS compliance easy for merchants
Data security and compliance are not necessarily easy things to think about. Mom and pop businesses are not usually IT specialists. Merchants may not know what network segmentation means or know how to configure a firewall. For this reason, the PCI compliance process should be as guided and simple as possible.
The SecurityMetrics merchant dashboard is easy to understand and gives merchants a to-do list with items they are currently failing. When it comes time to start a new SAQ, many questions will be pre-populated according to the acquirer’s specifications.
During the scoping process, it’s important that merchants understand the questions they’re answering and the answers they’re giving. Confusing jargon will decrease understanding and impede the compliance process.
Leverage your PCI vendor
Your PCI vendor is integral in helping a merchant understand PCI compliance and discover their specific requirements. Merchants are assigned to an SAQ, but much of the time they don’t understand what that entails. The PCI vendor can help fill this knowledge gap so that you don’t have to answer security questions. Ultimately, the PCI vendor is the party that validates and reports a merchant’s compliance.
Assist your merchant in becoming secure and compliant. Help them avoid data breaches by leaning heavily on your PCI vendor to be the cybersecurity expert.
SecurityMetrics not only provides PCI compliance, but services like penetration testing, compliance assessments, and data breach remediation, as well as training and policies.
Kelly Rodriguez has worked in the PCI compliance industry for the past six years in many roles. Currently Kelly is working with the Program Management team working with SecurityMetrics partners to ensure merchant portfolio programs are running smoothly and all PCI compliance goals are met.