How ISOs & Acquirers Can Assess, Educate and Protect Their Merchants
The days of simply sending a newsletter or statement stuffer to a merchant describing the PCI requirements may no longer be sufficient to protect the Acquiring community (Sponsor Banks, Processors and ISOs) from the card brand obligations, liability and the impact of state law violations. Approximately 46 states have strict Security Breach Notification Laws and 25 states have Disposal Laws. Some states, Nevada, Massachusetts and Wisconsin specifically mention the Payment Card Industry Data Security Standard (PCI DSS) and/or Information Security Policies.
Times have changed, risks have evolved and the tools available to the Acquiring community have become more sophisticated – leading to an improved opportunity for merchants to achieve PCI DSS compliance and Acquirers to provide additional business value to merchants.
Statistics illustrate the looming industry threats with the number of breaches from 2009 to 2010 increasing by 620, and the 2011 run rate proves the same pattern. The hospitality sector represents 40% of these breaches followed by retail at 25%.
ControlScan and ThoughtKey’s joint Webinar titled How ISOs & Acquirers Can Assess, Educate and Protect Their Merchants, illustrates simple techniques for the Acquiring community to risk prioritize PCI Level 4 Merchant portfolios. The recommended prioritization strategy is to split into 4 core buckets:
- PCI Level
- Payment Technology
- Industry Vertical (MCC/SIC Codes)
- POS System Changes
Each bucket serves as a subset of the previous one. Vulnerable terminals, devices and/or applications should immediately become priority 1 upon identification in bucket #2, Payment Technology. These Merchants hold one of the highest levels of risk due to the known vulnerabilities placing both their data in transit (transmission) and data at rest (storage) exposed as “low hanging fruit” for criminals. Merchants that have Internet connectivity within the hospitality, retail, restaurant and university sectors that have changed their POS systems in the last two years are in line for priority 2. The reason is that they often leave legacy systems active with few upgrades to patch vulnerabilities and excessive card data storage all connected to the Internet. Other industry sectors and SAQ A & B merchants would be priority 3-5 in the risk profiling strategy.
Risk profiling is only one step in a PCI Portfolio Strategy. Next, step 2, is to establish a comprehensive and ongoing PCI education program. Make this a part of the merchant lifecycle (from sales evaluation to termination).
Step 3 is to ensure a PCI expert is designated to build communication, implement the plan and guide merchants. Accuracy of the communication to merchants is vital to both card brand liability and civil liability (for recklessness and/or negligence).
Step 4 is to automate tracking of the PCI status for all merchants. Managing this manually can create its own obstacles and problems. ControlScan has an automated portal and communication methodology to help you track your merchant PCI status. Automated tracking is beneficial both to the Acquirer as well as the merchant. The merchant will have access to view their status, request additional guidance, use the education prompts within the portal and build the required policy and procedures.
The final step is to have a documented plan on how to address non-compliant merchants.
The goal is to shift the perception of PCI as a “burden” and present a program that allows PCI to be viewed a business value add to merchants. This perception can become reality with the proper education and tools being implemented by the Acquiring community throughout the merchant lifecycle.
To view the Webinar replay and learn more about risk prioritization and the development of an effective PCI program, click here.
About Susan Matt
Susan Matt is the founder of ThoughtKey, Inc., a consulting firm focused on data security and corporate risk management in the payments industry. She has over 20 years in International audit, litigation review, regulatory risk management and extensive experience working with a variety of clients on payment data security. She is a sought-after payments industry speaker, blogger and legal expert.