By Chris Taylor
With the end of winter comes the annual household spring cleaning ritual. I love remodeling, and each spring I find myself searching online for inexpensive ways to renovate my older house.
Like my annual domestic updating ritual, remodeling a Payment Card Industry (PCI) data, device and application security program is a fantastic way to develop a renewed vigor for security. Perhaps your program is dated, like my white electric stove, and doesn't meet current needs. Maybe your organization is too mature for your current program, like a family outgrowing a starter home. Or maybe your current PCI program isn't achieving your original compliance goals.
Whatever the justification, five main concerns should prompt you to consider remodeling your PCI program. Remember, some program aspects may require only minor changes, similar to spring cleaning, and other aspects may require a bit more work to remodel.
At some point during your current security program, you may have segmented your portfolio by risk. Unless it was scoped in the last few months, you may be focusing on merchants previously identified as risk-prone, but who aren't considered risky today, and vice versa.
To assist with merchant segmentation, risk-profiling tools like card data discovery software can forecast which portfolio members are more likely to suffer data breaches. Prior to a recent audit, a department store manager was positive his systems stored no payment card data, because he had passed a security audit the previous year.
However, he wasn't aware that a member of his information technology staff had inadvertently made a change in the middle of the year that resulted in the company network storing 50,000 unencrypted credit card numbers. Vulnerable data such as this can be found with the right tools; without them, an ISO or payment processor would have difficulty identifying a merchant's risk level.
Remodeling your PCI program allows you to focus initial efforts on high-risk merchants. Your vendor can assist in formulating merchant profiling questions for risk assessment. Questions to elicit relevant information include:
When real estate agents show a run-down house, they tend to discuss overall potential instead of dwelling on negative features. They typically ask buyers to consider how inexpensive remodeling would dramatically increase the interior aesthetics and market value. Because of the PCI Data Security Standard's (PCI DSS's) unfortunate negative connotation in the industry, many ISOs and payment processors perceive it as an obligation, hassle or millstone. Regrettably, that thought pattern rubs off on merchants.
Most acquirers and ISOs don't consider using their PCI compliance programs as a major merchant benefit, relegating them instead to contractual fine print. The issue of PCI compliance isn't unique. But if you begin promoting PCI as an asset, your program will automatically contain something your competition doesn't have: an undeniable commitment to merchant security.
If merchants balk at extra security fees, be prepared to educate them on how PCI compliance addresses major business security problems and alleviates the pain of credit card compromise. If your business proposition adds PCI as its differentiator, your organization will scream, "Your security is our priority!" And you will be heard above the noise of the competition.
In household remodeling, the efficiency advantages of an updated kitchen are obvious. However, many processors shirk upgrading some of the less visible aspects of their PCI programs, in particular the behind-the-scenes technology that makes compliance easier for both program managers and merchants.
For acquirers and ISOs, new program-management tools equal better reporting and fully automated communications, which require less time, money and personnel to manage. For merchants, new technologies make compliance more efficient and improve security through threat monitoring and prevention.
In a condo I used to own, I made the mistake of ignoring a slow leak in the ceiling. After winter, the ceiling insulation and drywall had to entirely be replaced, which wasn't cheap.
Because portfolios, technology and business goals change over time, important portfolio security features may become lost in the chaos. The point of the PCI DSS is to stay three steps ahead of hackers and five steps ahead of your own financial liability if one of your merchants experiences a security failure. Today's attackers are patient and tenacious, and they exploit merchant vulnerabilities with practiced ease.
To keep PCI compliance in the forefront of a merchant's to-do list, it must be proactively and consistently pushed. Did you know that your portfolio is only as valuable as your overall merchant compliance level? Michael Campbell, a Senior Associate at The Strawhecker Group who focuses on acquiring and issuing risk, said noncompliance is financially unhealthy.
"A PCI-compliant merchant portfolio has enhanced value when an acquirer or ISO puts it on the market, and [it] is favorably considered by prospective buyers," he said. "When a merchant portfolio ... has low PCI compliance rates, the attractiveness of acquisition diminishes." Many acquirers and ISOs are apathetic regarding the overall compliance status of their portfolio, and they accept the status quo. Yet, security is a living, breathing organism, and a merchant's passing compliance report is merely a dated snapshot. Staying up to date with a PCI security program is necessary to minimize risk and increase portfolio value.
Your merchants are the VIPs of your organization. By implementing the most up-to-date program possible, you'll share in their success for years to come. By cutting corners or engaging a PCI vendor that's nothing more than a billing service and a self-serve website, you'll spend twice the resources to cover program weaknesses. If you pay homeowners' association fees, don't you expect nicely trimmed landscaping, a maintained pool or regular snow removal? When merchants are charged, they expect additional value.
Payment processors should plan on merchant attrition if programs remain outdated while merchants are charged the same noncompliance or PCI fees year after year. Companies that provide additional security value to merchants will build enduring customer loyalty and more confidence in the payment card processing chain.
Chris Taylor is Manager of Channel Marketing for SecurityMetrics and can be reached via email at email@example.com. Find more details on remodeling your PCI program at www.securitymetrics.com/remodel or by calling 801-995-6869.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next