Guest Column. From the March 2010 issue of ISO&Agent.
The "great recession," as some have dubbed the current tumultuous business environment, has ISOs seeing higher attrition rates as merchants scramble to find low-cost service providers regardless of service quality and reputation.
Lost in the abyss of financial distress is the need to ensure adequate safeguards are in place for processing, storing or transmitting cardholder data. While critics of ever-expanding regulatory compliance always will exist, it is fair to assume that the Payment Card Industry data-security standards also are here to stay.
ISOs and related financial entities within the payments industry should be fully aware of the PCI-compliance requirements for their respective customers. The advantage is two-fold. Adherence to the standards helps provide the necessary data security and adds compliance transparency for customers, many of which are merchants.
Here is how it works. Any entity, be it an ISO or one of the many other businesses in the payments industry working with cardholder data, must be PCI-compliant. The confusion sets in regarding merchants for PCI compliance. Most merchants lack the knowledge, expertise and operational resources for becoming compliant with the standards. Though most merchants can fill out a self-assessment questionnaire regarding compliance, they still need guidance and assistance.
ISOs should ensure their businesses are compliant with the current versions of the standards while assisting merchants in any number of ways.
Compliance for an ISO essentially is a requirement, whereas a few years ago it was a market differentiator. However, assisting clients with PCI compliance can provide value, hopefully curtailing any attrition while gaining new clientele.
ISOs should make an aggressive push to market services as being PCI compliant while providing multiple resources for existing and prospective customers. It is important for companies to position themselves as compliant with industry security standards and to educate clients about the importance of compliance. Clients may be unaware of the financial penalties involved with noncompliance and the potential damage to their business reputations that could result.
Merchant education often is easier said than done. Merchants just care about cost, nothing else, right? Fortunately, these assumptions largely are false when an ISO fosters a culture of accountability and awareness for security standards.
Educating Merchants
Because merchants generally lack understanding about many components of PCI compliance, educating them creates a high level of accountability and awareness. Accountability means they have certain responsibilities for PCI compliance and can suffer significant financial penalties; awareness means they truly must understand the tasks at hand for PCI compliance and the technical requirements and operational commitments they must make.
ISOs can accomplish this in various ways, such as holding security Web seminars for prospective clients; providing monthly newsletters, e-mail alerts and tips on security issues for clients; and holding roundtable discussions with clients on their security and regulatory compliance needs.
The Payment Card Industry Security Standards Council and the major payment brands continually update and improve the data-security standards. Many merchants do not have the time or knowledge to keep up with the updates. An ISO's ability to keep merchants abreast of significant changes is a value-added benefit for them.
To help create a culture of accountability and awareness, an ISO should assign an internal working group within the organization to develop an in-depth primer on regulation compliance for existing and prospective clients. The primer should cover a wide array of issues, such as the varying levels of PCI compliance, the requirements for these respective levels and potential penalties for noncompliance. The primer can include PowerPoint presentations, technical writings, and videos and podcasts.
ISOs also can create industry buzz by distributing the material using social media, press releases, white papers, blogs and Web seminars. It is critical because ISOs should be able to attract new clients with today's Web tools and not decades-old marketing tactics, such as cold-calling or marketing letters.
A Web portal for PCI compliance can provide existing and prospective clients with a variety of resource-rich tools and supportive information for PCI compliance. White papers also can be helpful because they can break down and distill the PCI requirements in easy-to-use language.
ISOs can provide a list of self-assessment questionnaires, complete with instructions on how merchants should complete them, guidelines for answering each section and requirements for reporting. Companies can give merchants a list of recommended vendors and related third parties that can provide valuable and necessary services, such as network scanning, vulnerability testing, and policies and procedures needed for compliance.
An online-user forum during which existing and prospective clients can engage one another and ask relevant questions on almost any imaginable payments-industry topic also may be helpful.
Business Cornerstone
Security topics are everywhere these days, from front-page news regarding recent data breaches to the latest software craze for monitoring an organization's critical infrastructure. An ISO's business is based on security and safeguarding assets.
It is important for ISOs to create compliance-training programs for all sales personnel, develop marketing material focused on PCI expertise, and take leadership roles at seminars, conferences and trade shows for the payments industry.
For ISOs and merchant acquirers, keeping up with PCI requirements is a task indeed. Service providers should ask themselves these questions: Have I adequately identified all of my outsourced providers that are processing, storing or transmitting cardholder data? If so, are they PCI-compliant, and what documentation can validate this? Does my internal organization have to be PCI compliant? If so, what proactive steps are required for ensuring the company is meeting the PCI requirements on a continued basis? Have I corrected any issues that could cause a potential roadblock to compliance certification?
Many times, additional hardware and software costs are delayed until necessary, ultimately creating problems for re-certification of PCI compliance.
ISOs should create a business model in which PCI compliance is a transparent and integral component. They can do so by working closely with merchants and understanding that to them value is king. The tools and resources an ISO provides to existing and prospective clients will yield significant long-term results.
Charles Denyer is PCI-qualified security assessor and a member of NDB LLP, an Atlanta-based accounting and consulting firm. He can be reached at cdenyer@ndbcpa.com.
