Discover the answers you need as an acquirer to navigate new PCI updates, PCI program questions, and merchant concerns.
Acquirers have many questions surrounding PCI, the new version of PCI v.4.0, and their merchants. Here are the most frequently asked questions and their answers.
Partner with an organization that has proactive PCI advisors. When you partner with SecurityMetrics, you get–in addition to the standard email campaigns that provide educational materials–reminders, deadlines, and other valuable information, committed PCI advisors who will provide outbound calls to follow up with where they are in the compliance process and answer any questions they have.
Merchants need the easiest possible PCI validation process to be successful. SecurityMetrics has refined several tools to be as helpful to merchants as possible, including:
Scanning isn’t the only way for ecommerce merchants to protect their data. Traditional security tools and policies were not designed to detect web skimming or to work in dynamic environments like online retail shopping carts.
One of the biggest challenges with eskimming is that it is undetectable by security tools such as antivirus, vulnerability scans, and file integrity monitoring (FIM). Additionally, the new PCI DSS v. 4.0 requirement 11.6.1 requires organizations to monitor JavaScript for attacks on payment pages.
SecurityMetrics Shopping Cart Monitor provides a user-friendly option to detect eskimming that doesn't require a software download or installation of code to your website and also meets the PCI 4.0 requirements for ecommerce security protection.
Shopping Cart Monitor doesn't compromise a website's speed or the customer’s shopping experience and works behind the scenes without interrupting a customer's day-to-day work.
This is a complicated subject, but luckily, it is thoroughly explored in our webinar, “PCI v4.0 for Acquirers: What to Expect for You and Your Merchants”, which can be watched here.
PCI program costs vary widely depending on how much work you want to outsource to your selected PCI program partner. Because of this, we recommend you speak with a sales representative to get a better idea of what a PCI program would cost you.
Typically an implementation plan when working with SecurityMetrics consists of a kickoff call, signing contracts, and meeting with your risk and compliance teams to establish how everyone will work with one another. After that, there will be another call to discuss all the nuances that are necessary to know before building your console and setting up your program. This includes addressing what data you collect from merchants, what kind of communication you prefer, and what you want your dedicated PCI advisors to tell your merchants.
Once that is finished, we offer training on our PCI program portal, make sure everyone who needs access has it, and then we get into the nitty-gritty of how to extract the data you need from the portal. We can train your staff who speak to merchants about PCI because we want you to feel educated and well-informed.
Next, we kick in the email campaigns and start reaching out to the merchants to let them know what’s expected from them. We give them concrete deadlines and then schedule weekly calls to make sure that they are on track.
Collecting the correct and needed data can be one of the hardest things for new partners to achieve. New partners can struggle with not knowing their system or how it works, which in turn makes it difficult to pull data. We combat this with extensive training, easy access to professionals who understand your PCI portal and can help with questions, and most importantly, a simplified partner portal that is easy to understand.
Another struggle can be adequately educating merchants. An educated merchant understands their responsibility to be PCI compliant and how to achieve their own compliance. Yet uneducated merchants will resist becoming PCI compliant and won’t dedicate the necessary time to protecting their business and customer payment information. Merchants need to know what fees are associated with non-compliance and how to avoid those costs.
Finally, first-time partners can struggle with email campaigns. That’s why it’s essential that you get merchant information to us quickly, with an idea of what you’d like them to know, so your email campaign can get on track fast. This will also give them access to SecurityMetrics contact information instead of pointing their questions back at you.
Acquirers often receive part of their revenue from a noncompliance fee, which means there can be mixed feelings about starting a PCI program to get merchants compliant. Yet it’s vital to remember that when merchants aren’t happy, they will leave a PCI program, and this will result in lost revenue as well.
Prioritizing compliance and data security is going to help you retain merchants and generate more consistent revenue. SecurityMetrics also offers additional products that work nicely with PCI standards. Depending on the type of agreement you establish, you may be able to generate commission off these additional products when they are sold to your merchants.
It’s important to pick a PCI program partner that can do more than just PCI compliance. For example, SecurityMetrics conducts audits for different compliance standards, penetration tests, forensics, ASV scans, and more. This means that no matter the situation your merchant encounters, you have a partner who understands all kinds of environments and cybersecurity scenarios.
Ideally, you’d never get to the point of needing to reinvigorate your PCI program. Our goal at SecurityMetrics is to make sure your program stays on track from day one and doesn’t deviate from your compliance goals. However, there are a few things you can do to make this goal more possible, including:
PCI can be a great starting point for merchants to build their overall security. A great way to build off this foundation is to include more products for securing data, including SecurityMetrics Pulse. Pulse provides advanced vulnerability management of internal and external vulnerabilities, XDR endpoint options, and managed threat detection through an award-winning SOC.
Another useful tool for merchants is WIM or web integrity monitoring. This allows SecurityMetrics to view what happens on a merchant’s website when the purchase button is clicked. Through WIM, their website can be monitored, and if changes are made, your merchants will be notified.
An excellent merchant experience is paramount to a successful PCI program, so this is something that is taken seriously at SecurityMetrics. Our merchant's experience is focused on getting them PCI compliant in a way that doesn’t overwhelm them or cause them to want to give up.
This looks like setting up your merchant in an email campaign that tells them exactly where they need to go, what they need to do, and what is expected of them. We then work to educate them on PCI and their responsibility. When they first log in, they will go through a scoping exercise and will be given an SAQ scan (where applicable).
Any additional products that are a part of your PCI program will be delivered to the merchant through their console. Remember, their SAQ is ranked by the easiest questions, and FastPass removes unnecessary questions, meaning they get the most simplified experience possible.
If they experience technical difficulties or have questions, the SecurityMetrics support team is available 24/7 to help. Once they are compliant, they will be notified that they’ve reached that goal.
As the year goes on and merchants begin forgetting about PCI compliance, they will be regularly notified about upcoming compliance requirements and their annual responsibility to become PCI compliant.
.svg)
