Take a look at three methods you can use them to get merchants excited about PCI DSS.
Most merchants and their acquirers are as excited about Payment Card Industry Data Security Standard Compliance as they are about getting their car registered at the DMV. Nobody enjoys sitting for (what seems like) hours at the DMV, but the task is necessary to be a responsible vehicle owner. While most small business owners have heard of or even attempted PCI DSS compliance, they may not recognize its importance or the security risks that come from noncompliance. In short, they have no motivation to comply.
See also: The Importance of the PCI DSS: Why You Should Get Compliant
Before we look into how to get your merchants on the PCI compliance fast track, let’s question why they lack motivation. Merchants have plenty of reasons not to be PCI DSS compliant, but these appear to be their main excuses:
As you dive deeper into why merchants don’t comply, take a step back and realize your merchants are human. Psychology teaches of a handful of basic emotions that motivate humans.
Take a look at three emotions that apply to the merchant PCI DSS motivation situation, and how you can use them to get merchants excited about PCI DSS.
See also: 5 Simple Ways to Get PCI Compliant
A feeling of true safety only happens if you feel free from emotional or physical harm. Merchants feel safe if they know their business will turn a profit year after year.
Think about PCI DSS from a merchant’s perspective. If a merchant has had an account with you for 16 years, and all of a sudden you force them into PCI compliance, that doesn’t exactly create a feeling of safety.
Lack of communication promotes uncertainty, which breeds fear. Take the time to educate just how devastating security breaches are and why L4 merchants are targeted by criminals. Share the security benefits of PCI DSS compliance.
Marketing PCI as a security blanket instead of a must-do will help merchants feel like the standard is protecting their business and profits. If you can explain how you’ll minimize the chaos and dial down the intensity of the change from non-compliant to compliant, you’ll have greater success convincing merchants to care about the PCI DSS.
For greatest success, over-communicate. Clarify new roles and responsibilities, show them what they are accountable for, and explain any new policies. Send emails, use social media, upload new security information on your website, and host monthly security webinars. Introduce educational PCI videos into new merchant onboarding processes to set the stage for your expectations.
Some human behavior is motivated by a desire for reinforcement or incentives. Understand that not all incentives are created equal. Whether the carrot is a prize, money, or recognition, this approach will take a bit of testing to see what your merchants respond to.
Instead of imposing more and more fines (fear approach), introduce positive reinforcement, maybe by reducing annual compliance fees as a reward for compliant merchants. Each portfolio is different; but with careful thinking about merchant motivation, you may find innovative ways to motivate your merchants.
Some acquirers successfully layer benefits in with a merchant’s overall PCI compliance strategy. For example, you could promise eligibility for protection from fines and fees with a card data breach protection program once a merchant is compliant. Breach protection programs can cover all merchant costs relating to a card data compromise up to a financial limit. This also helps create goodwill and appeals to the safety/pain avoidance motivation.
Nothing makes humans more uncomfortable than fear. We hate missing opportunities, being punished, or not being accepted. I recommend using fear as a last resort when encouraging merchant compliance.
Sometimes just the threat of a noncompliance fee will jumpstart portfolio compliance, but you’ll always encounter merchants who won’t care, or who remain ignorant. The good news is all merchants have breaking points. You might consider implementing a regular schedule that increases noncompliance fees on some interval for stubborn merchants. Eventually, they’ll do what is necessary to stop receiving those fines.
Understand that the fear methodology may result in more attrition than other methods, but it’s definitely effective for getting merchants PCI compliant. It will also reduce the risk of card data breaches in your portfolio.
See also: How Much Does a Data Breach Cost Your Organization?
No two portfolios are the same, which means you should micro-test these theories and suggestions to see what motivates your particular portfolio. No matter which method you choose to motivate your merchants, don’t forget the power of education. If merchants simply understood the power of true data security and the reasons behind the PCI DSS, they might feel differently about spending time implementing it.
It’s time to take an active role in your L4 merchant compliance, especially now that their compliance directly affects your relationship with Visa. I am hopeful these changes will finally help small merchants get on track with data security who otherwise may be unknowingly compromised, suffering life-changing consequences.
.svg)
