Guest Analysis: Does PCI DSS Improve the Security State of Mind?

Matt Brown, Business Development Director, SecurityMetrics

May 11, 2015 – Overwhelmed, overworked and wearing too many hats. It’s not surprising very few merchants get excited by additional obligations that call for spending more time and more money.

When it comes to compliance, many merchants have a difficult time understanding its overall true value. Even with PCI DSS version 3.0 replacing version 2.0 on January 1, 2015, a large number of business owners continue to view PCI as just one more line item on their ever-growing to-do list.

Yet, security is increasingly essential for today’s merchants – card data breaches (think Target, Home Depot, and Anthem) continue to emerge at a rapid rate and often lead to major financial, legal, and reputational damages for brands. In fact, the number of U.S. data breaches tracked in 2014 hit a record high of 783 in 2014, according to a recent report released by the Identity Theft Resource Center (ITRC). This statistic represents an increase of 27.5 percent over the number of breaches reported in 2013.

While PCI DSS has long been a critical consideration for merchants, many still fail to make the fulfillment of these requirements a top priority – even with daily reports of new breaches spanning the media.

It’s important to realize that a major driver that led to the new PCI DSS version stems from the PCI Security Standards Council’s insight into the lack of education as a key contributor to many security breaches. The new version emphasizes intent and proper implementation of controls, and actually highlights the need to establish a culture of security through more education to maintain accountability throughout an organization.

Results From the ‘Merchant Experiences with PCI 3.0’ Survey

One issue hindering PCI compliance success is merchants lack general awareness of the issues at hand. Results from our recent survey, “Merchant Experiences with PCI 3.0,” reveal that many merchants do not fully understand, or even attempt to comprehend, PCI DSS standards.

Conducted in February, the survey queried 320 merchants. Here are some eye-opening facts revealed by the survey:

  • Only 50 percent of merchants were aware of the PCI DSS 3.0 update prior to their annual compliance validation.
  • Overall, 48 percent of merchants report that complying with PCI DSS 3.0 requires more work than PCI DSS 2.0. However, not everyone thinks the work is worth the effort, as only 21 percent of merchants feel the new standard makes them more secure than the previous version.
  • Merchants who spent more than one hour on their Self-Assessment Questionnaire (SAQ) doubled in 2015.
  • 26 percent believe complying with PCI 3.0 is more expensive than 2.0.

Whether a merchant deems the regulations too costly or difficult, doesn’t know where to begin, or is simply indifferent, acquiring organizations have an immense opportunity to help these compliance initiatives move forward.

As an Acquirer, What Can You Do?

The new standard takes more time, potentially increasing merchant frustration. What can you do to help? By properly informing, engaging and equipping merchants through numerous proactive measures, acquirers can help reduce business risk while minimizing burdens or misunderstandings associated with the compliance process.

One of the most important points to realize is that PCI compliance isn’t just a one-and-done occurrence – it is and should be a multi-year, continuous process. The trick is to convince your merchants to embrace this same attitude.

Very often, an incident that leads to a lost merchant relationship can be avoided with better communication. While it’s critical for sales professionals to be well trained in expressing the critical nature of PCI compliance, messages should be sent beyond the onboarding process. Ongoing, open dialogue throughout the relationship can ensure that data security is always prevalent on the merchant’s mind.

The best way to keep security on the forefront of a business’ regular routine is by including information about it in every customer interaction. For example, if a significant update occurs, be sure to send an email to your customers with an explanation or tips.

Providing a dedicated PCI customer support helpdesk is an ideal way to ensure merchant access to a fully trained team who deal with incoming questions and proactively contact other merchants experiencing similar issues.

While PCI DSS 3.0 requires more effort than the previous version, there are numerous strategies you can take as an acquirer to reduce merchant frustration. Here are some tips:

  • Enlist the help of your PCI partner to send explanatory, educational emails.
  • Utilize social media, like Facebook and Twitter, to share PCI DSS 3.0 information.
  • Upload a PCI DSS 3.0 banner on your merchant website.
  • Create a webinar explaining new PCI DSS 3.0 requirements. Demonstrate how to simplify the process, and consider offering incentives to participants.
  • Provide a set of compliance implementation tools, such as internal scanning, employee training, security policies, and card data discovery.
  • Always include a customer service phone number and a support email in communications.
  • Understand that your merchants will have questions – lots of questions. Be sure to provide easy support options, even enlisting third party support to ease frustration.

Security Awareness: An Ongoing Process

Because threats are ever-evolving in today’s digital landscape, security awareness and training activities must be ongoing as well. Acquirers have an important role to play from getting initial buy-in for such efforts to ensuring that merchants are using what they have learned and are actually complying with PCI DSS 3.0.

Chances are, your merchants already wear too many hats and they know it. However, by providing adequate, value-added technologies, as well as easily accessible, third-party support, acquirers can help merchants shift their main focus back to their much-preferred, daily tasks and responsibilities.

Empowering merchants to take such positive action, and guiding them through every step of the compliance process will ultimately build loyalty, reduce churn, and boost the acquiring organization’s bottom line.

Matt Brown is a Director of Business Development at SecurityMetrics and assists financial institutions in the customized creation of PCI DSS programs. These programs have led to millions in partner revenue and lowered merchant risk. Brown is a graduate of Brigham Young University and enjoys golf, skiing, and SCUBA diving.