Sterling Payment Technologies Inc. in November launched a merchant-security compliance program with the goal of ensuring Sterling’s merchants meet the criteria established by the Payment Card Industry Security Standards Council.
Within four months, Sterling enrolled 68% of its merchant clients in the program and increased their compliance with the Payment Card Industry Data Security Standard to 66%. Sterling did not reveal how many of its merchants had attained compliance prior to the start of the program.
The secret? There is no secret, says John Miglino, executive director of marketing at Tampa, Fla.-based Sterling, which does not release the number of merchants in its portfolio. The program combines education, easy-to-use tools and repetition, he says.
Sterling is using Orem, Utah-based SecurityMetrics Inc. to run the program, provide PCI expertise, and distribute related questionnaires and testing services.
“We interviewed a number of companies,” Miglino tells ISO&Agent Weekly. “We had a range of criteria, including the ability to work with a variety of merchants, price and track record.”
Pricing was a factor, but Sterling wanted assurances the vendor could work with the variety of merchants in the ISO’s portfolio, he says.
Miglino tried completing a self-assessment questionnaire to get a feel of what the task might be like for merchants. “We asked which vendor had the capability to help merchants understand the [self-assessment questionnaire] questions and found SecurityMetrics was unique in having a call center that could provide detailed answers to merchant questions,” he says.
Before the compliance effort went into effect, Sterling used messages in merchants’ monthly statements informing them about PCI and risk. Sterling also created a special section in its secure website for merchants with documents, videos and links to the PCI Security Standards Council, MasterCard Worldwide and Visa Inc. websites.
As the compliance program started, Sterling activated a group of dedicated customer-service representatives that handled inbound calls—made via a special toll-free number—from the ISO’s merchants.
“Once the merchant began the process, we set [the merchants] up with an account so they could log on to the SecurityMetrics website and complete the self-assessment questionnaire,” Miglino says.
Merchants also may talk to a SecurityMetrics representative to ask questions about the self-assessment questionnaires and network scans.
SecurityMetrics also helps Sterling track a merchant’s compliance status and sends the merchant faxes to prompt action or make follow-up phone calls, Miglino says. Sterling receives daily updates on the program.
The compliance program also targets new Sterling. Sales agents talk about payment card security during the sales process, Miglino says.
Once the ISO approves a merchant, the ISO sends the client a welcome kit that contains information about compliance and the merchant’s responsibility to protect cardholder data.
Not A Money Maker
The program’s primary goal is to ensure compliance and not to serve as a “money maker,” Miglino says. Merchants pay for the security-related services they need. A merchant, for example, using only a dial-up point-of-sale terminal, may only need to complete a self-assessment questionnaire and would pay a fee just for that service.
Sterling has avoided adding a profit margin to the security services, Miglino says.
“Everyone is aware of the economy and the sensitivity merchants have to cost,” he says.
Ideally, the program could help all of Sterling’s merchants become compliant with the data-security standards.
“The card brands want us to get there,” Miglino says. “Will there be some merchant that just won’t do it? Possibly. We’ll have to make a decision about what that means.”
So far, the compliance program has worked to Sterling’s satisfaction, he says. Miglino credits a staggered approach as part of that success. Sterling did not attempt to enroll all of its merchants at once. Sterling selected groups of merchants—into manageable sizes—for enrollment at various stages, he says.
“We realized there would be phone calls, and we didn’t want to degrade the normal service by having customer service reps immersed in PCI issues,” he says. “We never exceeded our capacity by doing it that way.”