I had a chance to listen to a webinar yesterday and thought I would share my thoughts on it. It was based on a new study that just came out. The study was conducted by the Merchant Acquirer's Committee (MAC) and ControlScan. Basically they sent out a survey to a bunch of acquirers, banks, ISO, processors and agents. The goal was to look at PCI compliance for level 4 merchants from the perspective of the acquirer.
For those that might not be familiar with all the PCI terminology, a level 4 merchant is basically a merchant that does less than 20,000 transactions a year. Merchant levels are based completely on transaction volume, and have nothing to do with the value of those transactions. This makes sense when you think of it from the angle that PCI is designed to protect card holder data. Merchants processing more unique credit cards carry more risk, and therefore more requirements for validation when it comes to PCI compliance.
OK, enough about that. On to the study. There were a few interesting findings that I wanted to mention, that might help out those acquirers and ISOs looking to implement a PCI compliance program for their merchants.
Work With Those That Know
First, the study touched on what acquirers and ISOs see as the main challenges to PCI compliance and establishing a successful program. There was a list of a few different ones but the biggest ones I thought were:
- Lack of Resource to properly manage a program
- Lack of PCI knowledge
The key to overcoming both of these is to partner with a good PCI compliance specialist. The study also mentioned that there are some out there trying to do this on their own. The study didn't mention this, but I would venture a guess that those trying to implement their own program are also those achieving the lowest levels of merchant compliance. PCI is a very complex beast. I have been involved for many years and still learn new things everyday. There are many different tools and programs out there to help you meet each of the 12 points in the Data Security Standard. When it isn't your business, its not worth it to stay informed about all the changes and updates as they come out. Partnering with a third party provider for PCI compliance allows you to concentrate fully on your core business - resulting in more success in both arenas.
Stay in Touch with your Merchants
Second, the study confirmed that the more ways you communicate with your merchants the more success you will have. This sounds like common sense. I think we all experience this with any business we might work with. We get phone calls, emails, snail mail, and other advertising methods teaching us about what they do and how they can help. PCI compliance is no different. Education is a huge part to a successful program. Many Level 4 merchants might not know what is required of them, let alone how to implement a PCI compliance program of their own. The more contact points an acquirer has with a merchant the more likely it is that the merchant will follow through and become compliant.
In the same vein, the more tools a program offers the better the compliance rate will be. Beyond just the basic digital Self-Assessment Questionnaire and ASV Vulnerability Scanning there are many tools that add value to a compliance program. Some examples include:
- Security Policy Builder
- Security Awareness/PCI Training
- Data Breach Protection Insurance
- Credit Card Data Scanning
- PCI Consulting and Education
Good programs will offer tools above and beyond the basics and work to keep them current and in line with the most recent PCI standards.
PCI Compliance Reduces Risk
For me, I think the biggest take away is the conclusion that PCI compliance does result in reduced risk and exposure for acquires, banks, and ISOs. The study found that those acquirers and banks with the highest levels of PCI compliant merchants experienced the lowest instances of data breaches. And really that's what it all comes down to. We all take on risk when we work in the payment card space, and we want to make it as small as possible.
If you want to read the full study you can download it at here. Thanks again to MAC and ControlScan for conducting this study and making the finding available to the industry.