How to Influence PCI Compliance Program Success

A peek behind the scenes at ControlScan.

July 16, 2018 • Published by

The 2018 Cost of a Data Breach Study findings are out, and it’s no surprise that the average total cost of a data breach has risen to a new high of $3.86 million. While much of a data breach’s financial burden falls squarely on the breached business’s shoulders, merchant acquirers and payment processors also lose money when a business they serve suffers a payment card data breach.

Merchant service providers implement PCI compliance programs to lessen the likelihood of a data breach happening among the merchants within their portfolios. These programs help raise awareness of, and compliance with, the Payment Card Industry Data Security Standard (PCI DSS).

But compliance is no small task, and applying the PCI DSS principals across a portfolio of tens (or even hundreds) of thousands of merchants can be daunting. That’s why I’m here at ControlScan: It’s my job to ensure our partners achieve measurable PCI compliance program success.

We begin by creating a solid strategy.

PCI compliance program success begins with a business strategy to achieve the partner’s goals. The strategy includes ways to streamline their merchants’ paths to compliance validation as well as methods for increasing compliance rates from a portfolio view.

For example, our “Partner A” has a PCI goal of 65% portfolio compliance rate. Recently, however, we noticed that their compliance rate had fallen to 62%. While it wasn’t too far off the mark, we didn’t want their compliance rate to continue on a downward trend.

We met with Partner A and developed a strategy to turn that decline around. In this example, we identified that the following three groups presented the best opportunity for a quick, positive result:

  1. Merchants who previously validated PCI compliance, but their annual SAQ has expired
  2. Merchants who were running PCI vulnerability scans, but let them lapse
  3. Merchants who were required to run a scan, but hadn’t completed the setup

An outreach plan was then built, detailing timing, type and content of tactics ControlScan would employ. Partner A reviewed and approved the plan, and we were ready to execute.

Next, we execute on the strategy and measure results.

The Partner A outreach plan was ready to go, so we began by sending an email to each of our three target groups, alerting them to their non-compliance and providing easy action steps. Our Alpharetta, Georgia-based customer support team then called each merchant to reinforce the email and provide additional phone-based assistance as needed. In this case, that was 620 calls in less than 48 hours!

Three weeks post outreach, we measured the following among our combined target groups:

  • Email open rate (54%)
  • Compliance validation achievement (22%)
  • Scan completions (20%)

We also measured Partner A’s overall portfolio compliance rate, which had risen to 65%. Success!

PCI compliance program success is an ongoing effort.

ControlScan research shows that merchants who let their annual PCI compliance validation lapse are an increasing detractor from strong portfolio compliance rates. In addition, newly enrolled merchants can lose sight of PCI compliance in the flurry of paperwork.

So, while merchant outreach can be successful in short bursts, an ongoing effort is essential for long-lasting results. If your PCI program’s performance isn’t meeting your goals, a PCI program partnership can provide the expertise and manpower to turn it around.