Its a delicate balancing act for independent sales organizations to drive revenue, save money on operations, and minimize portfolio attrition. Traditional wisdom in most Payment Card Industry Data Security Standard compliance programs dictates that the more an ISO increases portfolio security, the more its revenue stream decreases.
Fortunately for ISOs, revenue strategies have changed and contrary to popular belief, it's simple to maintain a sustainable revenue solution without skimping on merchant security.
For starters, it's time to dispel the myth that earning revenue from PCI compliance is the mark of a "bad" ISO. It requires work to create a successful compliance program and ISOs are well within their rights to provide a valuable service and receive compensation for their efforts. That said, a PCI program that provides little value to merchants isn't worth the time or effort to maintain it, and ISOs that find themselves in that position should rethink their compliance strategies.
While ISOs that create valuable PCI compliance programs should be compensated for their efforts, that doesn't mean they should be trying to squeeze every last dollar from their merchant clients. Merchants recognize value and many are willing to pay for it. The key for ISOs is to employ strategies that optimize merchant value, while also creating and supplementing their security-related revenue streams.
While ISOs may be tempted to drive profitability by cutting costs, that's not a long-term solution. There is nothing inherently wrong with cutting costs in fact, it's almost always a good thing. But in the world of payment security, cutting costs is often equated with cutting services. As more demand is placed on driving revenue through compliance channels, some acquirers and ISOs have increased margins by choosing low-cost or low-service PCI programs.
This tactic can add to portfolio risk, not to mention frustrate merchants possibly to the point of attrition. Many ISOs also overlook the hidden costs incurred from lower-service programs, such as lack of merchant support and automated communication tools that ultimately require additional work, personnel, and other resources. They may not see the extra costs on the bill, but ISOs should definitely factor those hidden charges in the companys bottom line.
In addition, the low-service program may help ISOs meet their financial goals and keep bosses temporarily happy, but what happens the following year when an even higher revenue expectation is set? Low-service compliance programs provide a short-term solution to revenue increase, but they arent sustainable. After all the value-adding services are slashed and compliance costs are beaten into the floor, the only way to increase revenue is to charge merchants more for a sub-par product.
Instead of cutting costs, consider driving revenue by offering additional security tools. A symbiotic relationship between security and revenue may sound too good to be true, but it's not. Revenue-generating PCI compliance programs can be much more than Self-Assessment Questionnaires, scans and noncompliance fees. The future of driving revenue from PCI is all about enhancing merchant value through add-on security measures.
The recent trend of liability reduction tools offers a great way for ISOs to sell add-on services to their merchants. For example, liability reduction products that offer merchants access to breach insurance, data discovery tools and other features help merchants minimize their risk. Processors are finding that it's not difficult to convince merchants to pay for these services because merchants are willing to pay for them without a mandate from their ISOs. That means that ISOs and acquirers are missing the boat if they don't leverage additional PCI compliance tools to increase revenue and provide merchants with the added security tools they want.
The practice of charging noncompliance fees that penalize merchants for not following PCI standards has become a successful standard throughout the industry. The revenue from these fees offsets the additional risk that merchants add to ISOs portfolios, while providing an incentive for merchants to validate their compliance. However, because PCI compliance is monitored with self-assessments, many merchants validate their compliance when they're not actually compliant which obviously does little to reduce portfolio risk.
One of the biggest culprits of this problem is the issue of merchants storing unencrypted cardholder data. It's common that first-time scans with data discovery tools uncover unencrypted payment card data, even when merchants think that they're compliant.
The potential for "compliant" merchants to really be noncompliant is very real and has serious implications for portfolio security and noncompliance fee revenues. By implementing data discovery tools and requiring merchants to successfully pass these scans, ISOs can ensure that merchants really are compliant.
Again, its important to remember that its not all about hammering a portfolio with fees. ISOs shouldnt simply be creating more hurdles for merchants to jump over; they should be taking steps that give their portfolios a chance to become compliant by creating a simple path for merchants to maintain compliance. And when ISOs enable a seamless compliance experience, they won't feel bad about penalizing those merchants that put them at risk.
Regardless of what some may believe, payment security is a top priority for many merchants. Countless merchants genuinely try to operate in accordance to the PCI standards, but lack the access to security tools to fully comply. While there are few resources to point them in the right direction, this problem provides the perfect opportunity for ISOs to strengthen their merchant relationships and grow their businesses.
Many vendors offer tools that tackle some of the most difficult and often overlooked requirements of PCI things like internal scanning, log monitoring and wireless detection, just to name a few. And those vendors often provide ISOs with direct access to those tools through reseller agreements. These partnerships create winning relationships for all involved by creating a new sales channel for the vendor, providing ISOs with additional revenue streams and ultimately, helping merchants maintain PCI compliance and minimize their business risks.
Merchants deserve the opportunity to protect themselves. They are the VIP of any ISO organization because if theyre in business, the ISO is in business. Merchants will differentiate between organizations that provides provide supplementary compliance tools and the ones that offer PCI programs that cut corners.
And remember while ISOs and acquirers can find success by creating opportunities that pair enhanced security and new ways to generate revenue, recognize that everything goes back to adding merchant value, increasing security and strengthening merchant relationships.
Chris Taylor is the channel marketing manager of Orem, Utah-based SecurityMetrics.