Top 10 Things Your Merchants Should Know about PCI

Presenters: Chris Bucolo – Senior Business Development Manager, ControlScanStephanie Sperry – Senior Marketing Manager, Merchant Warehouse

About Merchant Warehouse

• Established in 1998• Over 80,000 active merchants• 170+ employees• Award winning:

– Three-time recipient of the Boston Business Journal Pacesetter Award

– 100 Best’s 2010 Merchant Account Provider of the Year– 2009 ETA ISO of the Year

About ControlScan

• Established in 2005• Specialize in Payment Card Industry (PCI) Compliance• Exclusive focus on all Level 4 merchants• Comprehensive PCI 1-2-3 program drives high

merchant compliance rates• An Approved Scanning Vendor (ASV) and Qualified

Security Assessor (QSA)• Active partnerships with banks, ISOs and processors

Talking Points

• The Level 4 merchant profile and unique challenges

• Common myths & stumbling blocks• Merchant best practices• Agent best practices & merchant retention• Top 10 things your merchants should know

about PCI

Level 4 Merchant• Profile

– We have seen 2 distinct categories: mom and pop merchants with little or no IT/security knowledge (i.e. micro-merchants) and larger level 4 merchants with technical support staff, or an IT services partner.

• Unique Challenges– Cannot use a one size fits all approach to addressing PCI compliance

and security with merchants.– Because there are not a lot of “small” breaches reported in the media,

many Level 4 merchants still believe they are not a target and it will not happen to them.

– Merchants with dial terminals often feel that they are not to be concerned because they do not have an IP facing device that can easily be hacked into.

Key Findings: Fraudsters Like Low Hanging Fruit These Days

The # of breached records is way down, but the number of breach events is way up. This is bad news for level 4 merchants.

Source: Verizon 2011 Data Breach Investigations Report

Key Findings: Industry BreakdownIt is important to continue stressing the need for more vigilance in the Hospitality sector. Restaurants and hotels continue to be a major source of attack.

Source: Verizon 2011 Data Breach Investigations Report

Common PCI Myths

• Myth #1: PCI does not apply to me, since I only accept a few cards.

– Reality: PCI compliance is required for any merchant that accepts payment cards, even if the quantity is just one.

• Myth #2: I’m using tokenization technology so I’m exempt from PCI.

– Reality: While tokenization technology may help reduce risk and potentially the effort to comply with PCI, it does not exempt a merchant from being PCI compliant.

• Myth #3: I’m using a compliant payment application, therefore I’m PCI compliant.

– Reality: Using a certified payment application will help facilitate PCI compliance, but does not make you compliant in and of itself.

Common PCI Myths

• Myth #4: We outsource card processing, so we don’t need to comply with PCI.

– Reality: A merchant is accountable and is still required to ensure that any third party processor is also PCI compliant. Physical and Information Security Policies still apply.

• Myth #5: I’m a mom and pop store, so hackers won’t attack me.

– Reality: According to Visa, over 85% of compromised events occur within the small merchant space (Level 4).

• Myth #6: I completed my PCI validation, so I can’t get breached.

– Reality: While achieving PCI compliance is a critical step in reducing the likelihood of suffering a breach, it is only a periodic measurement and not a guarantee. Constant vigilance is vital!

Common PCI Myths

• Myth #7: I already pay a PCI fee, so I’m compliant.

– Reality: Paying a PCI fee or enrolling in a program does not make the business PCI compliant or validate compliance.

• Myth #8: I don’t use a POS system, so I don’t need to be PCI compliant.

– Reality: PCI compliance is not limited to POS systems. Any business that stores, processes or transmits credit card data must validate compliance. The compliance process for merchants using terminals is not intrusive.

Merchant Stumbling Blocks

• How do I figure out what type of system or application I have?• What does it mean to mask the PAN?• Who is a service provider or third-party service provider?• My machine already truncates card numbers.• What is meant by “Sensitive Authentication Data”• How do I know if I am electronically storing card holder data?• I don’t need policies because I am a small business.• I don’t have enough resources to comply with PCI.• I don’t have technical expertise, how do I answer these

questions?

Merchant Best Practices

• Buy and use only approved PIN entry devices at your point-of-sale• Buy and use only PA-DSS validated payment software at your POS or

Website shopping cart• Do not store any sensitive cardholder data in your computers or on paper• Use a firewall on your network and PCs• Make sure your wireless router is password-protected and uses encryption• Use strong passwords – be sure to change default passwords on hardware

and software• Regularly check PIN devices and PCs to make sure no one has installed

rogue software or “skimming” devices• Train your employees and establish policies around security and

protecting cardholder data• Follow the PCI standard

Agent Best Practices

• Tailor the approach by Level 4 segment– Micro-merchants require more upfront education around PCI to set

context, followed by more tactical education based on where they are in the compliance process

– Use segmentation strategies based on SAQ types• Team with micro-merchants to mentor them through the PCI DSS

compliance process– Offer “hands-on” assistance through multiple touch points or consider

outsourcing this effort to make the process easier (e.g., outbound calling, email/direct campaigns, statement messages, FAQs)

• Maintain a healthy skepticism with regard to the Self-Assessment Questionnaire responses (e.g., education programs, random audits)

Agent Best Practices – Improve Retention

• Educating and mentoring your merchants will help build your relationship with them and in turn improve merchant retention and referrals

• Take the time to educate yourself on the topic and have the resources you need to help your merchants become compliant

Top Ten Things your Merchants Should Know

1. PCI is here to stay: Card Brand focus/Legislative momentum.2. Technology enhancements are bringing increased focus on PCI.3. Hackers increasingly target small businesses.4. Most data breaches remain very preventable.5. Complying with PCI does not cost a lot for the typical Level 4 Merchant.6. Not complying with PCI has the potential to be very expensive.7. PCI helps create a strong foundation for a data security culture.8. Data security and privacy protection are huge concerns of customers.9. Reputational and brand damage are hard to measure if the merchant is

breached.10. Merchant relationships can be strengthened if they understand the

value of being PCI compliant.

Agent & ISO Program Benefits

• The security of a financially sound ISO• Generous bonuses and benefits• Uniquely fair agent contract• Innovative technology• In-house/dedicated customer and technical support• Guaranteed lifetime residuals• Marketing support• In-depth sales training• Online tools and resources

Coming soon – Cost analysis tool and CB App Express!

Questions?

For questions regarding this presentation, please contact ChrisBucolo at cbucolo@controlscan.com

If you are interested in becoming an independent sales agentfor Merchant Warehouse, please contact Doug Small @617-896-5590 x 2535 or dsmall@merchantwarehouse.com

Download Complete Level 4 Merchant Study Report:https://www.controlscan.com/whitepapers/merchant_study_2010.php

Download Complete Level 4 Merchant Study Webinar:https://www.controlscan.com/webcasts/diversity_reigns_pci_compliance_level4_merchant.php