Page 54 - GS130901_flipbook.indd
P. 54
Ed
EducationContinueducucatatioioionnContinued
Ed
Ed
S
Seven tips for a successful even tips for a successful
mass PCI compliance program: Part 2
mass PCI compliance program: Part 2
b
By Michelle Thompsony Michelle Thompson be challenged to see if you believe in what you e challenged to see if you believe in what you
B
ar
Fir
FirstMerit Bank NAstMerit Bank NA are doing. My SecurityMetrics account manager e doing. My SecurityMetrics account manager
r reminded me that excessive communication was eminded me that excessive communication was
I program: Part 1," The Green Sheet, Aug. 12, 2013, rogram: Part 1," The Green Sheet, Aug. 12, 2013, they were learning about the importance of secu-hey were learning about the importance of secu-
a
a good thing. If merchants were asking questions, good thing. If merchants were asking questions,
n "Seven ti
n "Seven tips for a successful mass PCI compliance ps for a successful mass PCI compliance
t
p
r
rity, and the more likely they were to engage and ity, and the more likely they were to engage and
issue 13:08:01, I suggested that choosing a Payment issue 13:08:01, I suggested that choosing a Payment
c
I Card Industry (PCI) Data Security Standard (DSS) Card Industry (PCI) Data Security Standard (DSS)
partner that fits your organization was key to a successful artner that fits your organization was key to a successful complete PCI compliance. omplete PCI compliance.
p
Ever
r rollout. I also outlined my list of most important vendor ollout. I also outlined my list of most important vendor Every day I explained the standards, clarified the y day I explained the standards, clarified the
c criteria and defined vital points that helped prepare for riteria and defined vital points that helped prepare for r role of our vendor and illuminated the ways sensi-ole of our vendor and illuminated the ways sensi-
tive data must be protected. I listened while mer-
mass compliance, suc tive data must be protected. I listened while mer-
mass compliance, such as gaining corporate commitment h as gaining corporate commitment
chants explained their data practices, and I cringed
and accepting stewar
and accepting stewardship over your merchants. dship over your merchants. chants explained their data practices, and I cringed
at the irresponsible things they did with sensitive
at the irresponsible things they did with sensitive
data. Three years into the program, despite all the
Now I'd like to explain what I found to be the two most
Now I'd like to explain what I found to be the two most data. Three years into the program, despite all the
elbow grease applied, we were stuck at 50 percent
important steps during a mass compliance rollout: setting elbow grease applied, we were stuck at 50 percent
important steps during a mass compliance rollout: setting
compliance.
goals and constant merchant communication.
goals and constant merchant communication. compliance.
Tip 3: Stick to your (realistic) goalsp 3: Stick to your (realistic) goals
Ti
Stick to your gunstick to your guns
S
Ensur
Ensure your goals are realistic in terms of the amount of e your goals are realistic in terms of the amount of It was at this juncture we easily could have bowed It was at this juncture we easily could have bowed
time it takes your portfolio to engage or become compli-kes your portfolio to engage or become compli- out. We could have yielded at the slightest cli-out. We could have yielded at the slightest cli-
time it ta
ant. I learned this concept the hard way. Because I was his concept the hard way. Because I was
ant. I learned t ent push back like many others in the payments ent push back like many others in the payments
new to t
new to the PCI DSS and didn't understand the complexity he PCI DSS and didn't understand the complexity space. This is not who we are or who I am. Why space. This is not who we are or who I am. Why
of merchant struggles to meet difficult standards, I shot chant struggles to meet difficult standards, I shot would we go backward? We had maintained 98 would we go backward? We had maintained 98
of mer
f for an outrageously high compliance goal (98 percent) in a or an outrageously high compliance goal (98 percent) in a percent enrollment/engagement, but our stagnant percent enrollment/engagement, but our stagnant
v
very short period of time.ery short period of time.
compliance number gave me the opportunity to re-compliance number gave me the opportunity to re-
strategize. Staffing adjustments were made, internal strategize. Staffing adjustments were made, internal
My resources were reallocated, and SecurityMetrics resources were reallocated, and SecurityMetrics
My overly ambitious goal turned my life into a living hell. overly ambitious goal turned my life into a living hell.
Because I took responsibility to stay in personal contact with esponsibility to stay in personal contact with
Because I took r changed its communication efforts. changed its communication efforts.
all m
all my merchants, workdays lasted 12 to 14 hours, and the y merchants, workdays lasted 12 to 14 hours, and the
work week lasted seven. Every phone call was on constant y phone call was on constant
work week lasted seven. Ever We understood it was wrong to hold merchants We understood it was wrong to hold merchants
replay in my head. It felt as if I were banging my head eplay in my head. It felt as if I were banging my head responsible for security mistakes they didn't under-
r
responsible for security mistakes they didn't under-
against a wall. But I knew we were doing the right thing. gainst a wall. But I knew we were doing the right thing.
a stand, so it was decided we would charge a non-stand, so it was decided we would charge a non-
compliance fee only after diligent communications compliance fee only after diligent communications
were performed. We then began the communica-
Pre
Prepare for many merchant questionspare for many merchant questions were performed. We then began the communica-
tions, calls, statement messages and emails inform-tions, calls, statement messages and emails inform-
One of the biggest roadblocks on our initial com-One of the biggest roadblocks on our initial com- ing merchants that October 2010 was the date ing merchants that October 2010 was the date
pliance path was merchant confusion. Many mer-
pliance path was merchant confusion. Many mer- we required compliance or a fee per merchant ID
we required compliance or a fee per merchant ID
chants didn't read the initial PCI communications would be assessed.would be assessed.
chants didn't read the initial PCI communications
and called FirstMerit for clarification. I didn't
and called FirstMerit for clarification. I didn't
expect so many merchant questions. I soon learned
expect so many merchant questions. I soon learned
D
to instruct my staff to transfer merchant phone calls
to instruct my staff to transfer merchant phone calls Don't worry about attritionon't worry about attrition
regarding our PCI compliance program to our ven-
regarding our PCI compliance program to our ven- In the first year of our compliance efforts there was the first year of our compliance efforts there was
In
dor, SecurityMetrics. I also made sure the company
dor, SecurityMetrics. I also made sure the company a negligible amount of attrition, and since then a negligible amount of attrition, and since then
clearly introduced its role as a third-party vendor
clearly introduced its role as a third-party vendor an insignificant number of merchants have left an insignificant number of merchants have left
in various forms of merchant communication.
in various forms of merchant communication. because of PCI compliance. I can attribute the lack
because of PCI compliance. I can attribute the lack
of attrition to a few reasons: the teamwork of both
of attrition to a few reasons: the teamwork of both
Don't
Don't give upgive up our vendor and bank employees, and a heightened
our vendor and bank employees, and a heightened
awareness of large-scale data breaches. Attrition is
Be ready for a test of your determination. It will Be ready for a test of your determination. It will awareness of large-scale data breaches. Attrition is
part of the nature of the payment space, but I can
b
be tested during client calls, in the sales process e tested during client calls, in the sales process part of the nature of the payment space, but I can
certainly attest that PCI was not a motivating factor
and during internal debates. It will be tested to g internal debates. It will be tested to certainly attest that PCI was not a motivating factor
and durin
for our merchants.
see if your policy, belief system or commitment is f your policy, belief system or commitment is
see i for our merchants.
t the same as it was originally. Your program will he same as it was originally. Your program will
54
54
