Page 48 - GS131001
P. 48
EducationContinued
Seven tips for a successful for guidance on PCI.
mass PCI compliance pro- Merchants want help with PCI, and their current
providers often don't assist them. I cannot possibly
summarize the number of client-prospect meetings I
gram: Part 3 have attended where information technology managers
or business owners explained how they handled card
data and asked for help. Because we have taken the time
By Michelle Thompson to sit down with clients to hear what their concerns are
FirstMerit Bank NA and bring in our expert partners, we have acquired 99
percent of this prospect business.
n the previous articles in this series about develop- Tip 6: Diligent program maintenance
ing a successful Payment Card Industry (PCI) Data I knew from the beginning that PCI would require ongoing
Security Standard (DSS) compliance program for
I your portfolio, I discussed the importance of goal vigilance to keep our program running smoothly, even after
initial planning. Because adherence to PCI standards must
making, finding a partner that fits and constant merchant
communications. be validated annually and monitored to defend against new
security threats, it takes effort to ensure our merchants will
stay on course year after year.
The final article in this series contains guidelines for
program maintenance, including my thoughts on PCI fees,
compliance renewals and never giving up. Manage yearly renewals
Of all the major concerns surrounding our program,
Tip 5: Straightforward fees renewals made the top of my list. It was crucial to me
that PCI compliance validation be repeated annually
It's difficult to see the line between leading and pushing because many variables in the merchant environment
your merchants to embrace your PCI program. I knew can affect a pass or fail mark.
busy business owners would not address data security if
faced with choosing between managing their businesses Our PCI vendor sent reminders about quarterly
and doing what the bank requested. So, FirstMerit decided vulnerability scans and alerted merchants when scans
to begin imposing a financial penalty on noncompliant failed. Alerts were also sent 30 to 60 days before yearly
merchants in October 2010. The objective was to persuade, PCI service agreements expired.
not punish. I didn't want a fee, but I did want momentum
toward compliance. Accurate admin tools
Because compliance goals were so important to me, I
With just the threat of a noncompliance fee nipping at needed a way to monitor progress and determine where
my merchants' heels, the compliance surge began. We we fell short. Our vendor provided an online console
catapulted from 50 percent compliance to 80 percent in just that included detailed real-time information on overall
three months. One thing I made sure of was that our fees campaign performance, including bar graphs and pie
were structured in a way that made it simple for merchants charts that showed (among other things) full compliance
to understand how fees were tied to the benefits of PCI histories, how many merchants' contact information was
compliance, and how they could avoid the fees on their next verified, total accounts contacted via email and total
bill. merchant PCI engagement.
Decide how you really feel about fees I logged into the online dashboard and analyzed my
Though I felt, and still feel, that noncompliance fees are merchants' progress at least four to five times a week.
dirty, as I increased noncompliance fees, more merchants When I wasn't satisfied with our progress, I brought
were persuaded to come into compliance. it up in regular phone calls with my vendor's account
manager.
FirstMerit truly didn't want the income garnered from
noncompliance fees and much preferred compliance. It Keeping updated
was with this mentality that we won countless merchants' Our vendor also promised to keep FirstMerit updated
business. In our experience, merchants' initial question on our merchants' PCI participation and compliance
when searching for an acquiring partner was, "What are status through weekly and monthly feeds, as long as we
you doing with PCI compliance?" informed the vendor each time our portfolio changed
(new merchants, cancelled accounts, changed merchant
They realized many of our peers had PCI programs, IDs, for example).
but didn't actively help clients with PCI or even enforce
security. Because of our excellent educational PCI Compliance renewals can be a challenge. It is common
program, FirstMerit became the merchant "go to" source for merchants to integrate different solutions into their
48
48
