Transcript Sales & Product Training

Top 10 Things Your Merchants Should
Know about PCI
Presenters:
Chris Bucolo – Senior Business Development Manager, ControlScan
Stephanie Sperry – Senior Marketing Manager, Merchant
Warehouse
About Merchant Warehouse
•
•
•
•
Established in 1998
Over 80,000 active merchants
170+ employees
Award winning:
– Three-time recipient of the Boston Business Journal
Pacesetter Award
– 100 Best’s 2010 Merchant Account Provider of the Year
– 2009 ETA ISO of the Year
About ControlScan
•
•
•
•
Established in 2005
Specialize in Payment Card Industry (PCI) Compliance
Exclusive focus on all Level 4 merchants
Comprehensive PCI 1-2-3 program drives high
merchant compliance rates
• An Approved Scanning Vendor (ASV) and Qualified
Security Assessor (QSA)
• Active partnerships with banks, ISOs and processors
Talking Points
• The Level 4 merchant profile and unique
challenges
• Common myths & stumbling blocks
• Merchant best practices
• Agent best practices & merchant retention
• Top 10 things your merchants should know
about PCI
Level 4 Merchant
• Profile
– We have seen 2 distinct categories: mom and pop merchants with
little or no IT/security knowledge (i.e. micro-merchants) and larger
level 4 merchants with technical support staff, or an IT services
partner.
• Unique Challenges
– Cannot use a one size fits all approach to addressing PCI compliance
and security with merchants.
– Because there are not a lot of “small” breaches reported in the media,
many Level 4 merchants still believe they are not a target and it will
not happen to them.
– Merchants with dial terminals often feel that they are not to be
concerned because they do not have an IP facing device that can easily
be hacked into.
Key Findings: Fraudsters Like Low Hanging Fruit These
Days
The # of breached records is way down, but the number of breach
events is way up. This is bad news for level 4 merchants.
Source: Verizon 2011 Data Breach Investigations Report
Key Findings: Industry Breakdown
It is important to continue stressing the need for more vigilance in the
Hospitality sector. Restaurants and hotels continue to be a major source of
attack.
Source: Verizon 2011 Data Breach Investigations Report
Common PCI Myths
•
Myth #1: PCI does not apply to me, since I only accept a few cards.
– Reality: PCI compliance is required for any merchant that accepts
payment cards, even if the quantity is just one.
•
Myth #2: I’m using tokenization technology so I’m exempt from PCI.
– Reality: While tokenization technology may help reduce risk and
potentially the effort to comply with PCI, it does not exempt a merchant
from being PCI compliant.
•
Myth #3: I’m using a compliant payment application, therefore I’m PCI
compliant.
– Reality: Using a certified payment application will help facilitate PCI
compliance, but does not make you compliant in and of itself.
Common PCI Myths
•
Myth #4: We outsource card processing, so we don’t need to comply with
PCI.
– Reality: A merchant is accountable and is still required to ensure that any
third party processor is also PCI compliant. Physical and Information
Security Policies still apply.
•
Myth #5: I’m a mom and pop store, so hackers won’t attack me.
– Reality: According to Visa, over 85% of compromised events occur within
the small merchant space (Level 4).
•
Myth #6: I completed my PCI validation, so I can’t get breached.
– Reality: While achieving PCI compliance is a critical step in reducing the
likelihood of suffering a breach, it is only a periodic measurement and not
a guarantee. Constant vigilance is vital!
Common PCI Myths
•
Myth #7: I already pay a PCI fee, so I’m compliant.
– Reality: Paying a PCI fee or enrolling in a program does not make the
business PCI compliant or validate compliance.
•
Myth #8: I don’t use a POS system, so I don’t need to be PCI compliant.
– Reality: PCI compliance is not limited to POS systems. Any business that
stores, processes or transmits credit card data must validate compliance.
The compliance process for merchants using terminals is not intrusive.
Merchant Stumbling Blocks
•
•
•
•
•
•
•
•
•
How do I figure out what type of system or application I have?
What does it mean to mask the PAN?
Who is a service provider or third-party service provider?
My machine already truncates card numbers.
What is meant by “Sensitive Authentication Data”
How do I know if I am electronically storing card holder data?
I don’t need policies because I am a small business.
I don’t have enough resources to comply with PCI.
I don’t have technical expertise, how do I answer these
questions?
Merchant Best Practices
• Buy and use only approved PIN entry devices at your point-of-sale
• Buy and use only PA-DSS validated payment software at your POS or
Website shopping cart
• Do not store any sensitive cardholder data in your computers or on paper
• Use a firewall on your network and PCs
• Make sure your wireless router is password-protected and uses encryption
• Use strong passwords – be sure to change default passwords on hardware
and software
• Regularly check PIN devices and PCs to make sure no one has installed
rogue software or “skimming” devices
• Train your employees and establish policies around security and protecting
cardholder data
• Follow the PCI standard
Agent Best Practices
• Tailor the approach by Level 4 segment
– Micro-merchants require more upfront education around PCI to set
context, followed by more tactical education based on where they are
in the compliance process
– Use segmentation strategies based on SAQ types
• Team with micro-merchants to mentor them through the PCI DSS
compliance process
– Offer “hands-on” assistance through multiple touch points or consider
outsourcing this effort to make the process easier (e.g., outbound
calling, email/direct campaigns, statement messages, FAQs)
• Maintain a healthy skepticism with regard to the Self-Assessment
Questionnaire responses (e.g., education programs, random audits)
Agent Best Practices – Improve Retention
• Educating and mentoring your merchants will
help build your relationship with them and in
turn improve merchant retention and
referrals
• Take the time to educate yourself on the topic
and have the resources you need to help your
merchants become compliant
Top Ten Things your Merchants Should Know
1.
2.
3.
4.
5.
6.
7.
8.
9.
PCI is here to stay: Card Brand focus/Legislative momentum.
Technology enhancements are bringing increased focus on PCI.
Hackers increasingly target small businesses.
Most data breaches remain very preventable.
Complying with PCI does not cost a lot for the typical Level 4 Merchant.
Not complying with PCI has the potential to be very expensive.
PCI helps create a strong foundation for a data security culture.
Data security and privacy protection are huge concerns of customers.
Reputational and brand damage are hard to measure if the merchant is
breached.
10. Merchant relationships can be strengthened if they understand the value
of being PCI compliant.
Agent & ISO Program Benefits
•
•
•
•
•
•
•
•
•
The security of a financially sound ISO
Generous bonuses and benefits
Uniquely fair agent contract
Innovative technology
In-house/dedicated customer and technical support
Guaranteed lifetime residuals
Marketing support
In-depth sales training
Online tools and resources
Coming soon – Cost analysis tool and CB App Express!
Questions?
For questions regarding this presentation, please contact Chris
Bucolo at [email protected]
If you are interested in becoming an independent sales agent
for Merchant Warehouse, please contact Doug Small @
617-896-5590 x 2535 or [email protected]
Download Complete Level 4 Merchant Study Report:
https://www.controlscan.com/whitepapers/merchant_study_2010.php
Download Complete Level 4 Merchant Study Webinar:
https://www.controlscan.com/webcasts/diversity_reigns_pci_compliance_level4_merchant.php