Friday , March 29, 2024

Adding value to acquiring bank portfolios with managed PCI compliance and Security Services

 Sysnet CEO, Gabriel Moynagh, explains how replacing revenue from PCI DSS penalties for non-compliance with a managed service offering is the opportunity acquirers have been waiting for in improving customer relationships and boosting merchant security.

The worldwide Payment Card Industry Data Security Standard (PCI DSS) was set up to help businesses process card payments securely and reduce fraud. This is achieved through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle.

Merchants who fail to comply with the standard are exposed to non-compliance fines and may even face having the relationship with their acquirer terminated, leaving them unable to accept card payments.

Acquiring banks are obliged to take a tough stance on PCI DSS compliance. Fraudsters target weak links in the payment chain to steal payment data (card numbers and card security codes) and customers’ personal information – such as names, addresses, phone numbers, email addresses, dates of birth – for the purpose of committing fraud.

Fines associated with non-compliance following a data compromise can reach hundreds of thousands of pounds and many non-compliant merchants have ceased trading because the fines could not be accommodated. Reputational damage is also a consideration if you are compromised and lose card data. The PCI Security Standards Council refers to surveys suggesting that 60% of small and medium businesses closed within six months of a payment data breach.

While penalties for PCI DSS non-compliance are on a more modest scale, they are a not-inconsiderable source of revenue for acquirers. This is not a sustainable revenue stream in the long term, but there is an alternative that enables them to replace non-compliance fees with a solution that helps merchants secure their transactions for a fixed fee.

Barriers to compliance

 We know that merchants want to comply with PCI DSS and recognise its value in terms of increasing customer confidence in the security of their transactions. However, they face a number of challenges, most notably:

  • Most merchants are small businesses and extremely time poor – they understand the importance of cybersecurity but it gets pushed down the list of priorities by the day-to-day tasks necessary to keep the business running
  • The compliance process is technical and the vast majority of merchants don’t have in-house IT staff or technical skills

By offering a managed service for PCI DSS compliance, acquirers can give merchants access to a service that comes at a predictable cost and addresses all aspects of the business’s security, from firewalls to anti-virus protection.

There are many companies offering security products for SMBs but not the management of those tools – merchants need a managed security service at an affordable price. In most cases, the merchant will actually pay less for such solutions than they would for non-compliance fees.

This is an important consideration for small businesses, who can face large bills just for purchasing a web application firewall. Because we work with acquirers who have half a million or more merchants, we can leverage that huge buying power to offer them a range of security products within a managed solution at a much lower price than if they went directly to the providers of these products as an individual business. SMBs want to be compliant but often feel overwhelmed by the process.

Because these businesses don’t always know what they need, we have built a profile of the risks faced by merchants, the most appropriate tools to address those threats and how they can be deployed. Very few small merchants have an IT manager to advise them on their cybersecurity needs – so we do that for them.

How the managed service works

 In early 2017, Elavon made the decision to migrate its entire Level PCI Level 4 merchant base to Sysnet.air. Our cybersecurity and compliance management solution is designed to simplify security and compliance for SMBs by profiling the business and personalising service offerings that meet the specific requirements of that business. It helps to reduce risk for acquiring banks by identifying risk within the merchant portfolio and then assisting merchants to mitigate against that risk.

Elavon recognised that while extremely important, compliance with PCI DSS can be time-consuming and challenging for many smaller businesses.

Elavon wanted to offer more value to its customers, giving them more choice when it came to PCI DSS compliance and cyber security. Its smaller customers in particular needed the option of a managed service with security tools that are easy to purchase and deploy. Elavon was attracted to  Sysnet because we are focused on helping businesses get secure and by default, compliant.

This was a considerable undertaking – in the course of a six-month timeframe from March to August 2017 we migrated 600,000 Elavon customers, a complex exercise that involved large volumes of data, multiple jurisdictions and multiple languages.

As a result, Elavon’s customers now have the option of completing their compliance on a self-serve basis or opting for Elavon’s PCI Plus service in North America or Secured Pro in Europe, whereby our agents manage data security and compliance on their behalf.

Although Elavon had confidence in our ability to better serve its customers, migrating such a large and complex portfolio in such a short time-frame was a considerable challenge. However, the migration went extremely smoothly – our team hit every milestone and successfully completed the project on ahead of the Elavon’s projected schedule.

Improved customer insight

 As well as generating revenue from security tools that enhance its customers’ cybersecurity, Elavon is also gaining a greater understanding of where risk lies within its customer base, enabling it to take steps to address that risk.

EVO Payments International also uses Sysnet.air to help its 430,000+ customers to ensure compliance with PCI DSS on a white label basis, while Worldpay came to us for support for its SaferPayments programme for PCI DSS.

Worldpay has found that many of its customers have developed relationships with individual members of our SaferPayments programme team, seeking them out when they are completing their compliance reporting.

One customer using several different channels for accepting card payments reported that the team’s assistance with tasks such as checking the browsers being used and updating certain systems across the organisation helped him confirm that his systems were set up correctly. This helped the customer to re-enforce his company’s security protocols and as a result a reminder was sent around to all staff members on their responsibilities for keeping the business network secure.

The industry hasn’t done enough to help small business merchants with their security issues. In the past, security solutions have focused on a portfolio subset such as ecommerce rather than providing a holistic solution.

As a result, many merchants are paying non-compliance fees rather than addressing shortcomings in their security protocols. We believe that offering a managed service represents a unique opportunity for acquirers to retain key relationships with merchants, while helping them keep customers and build loyalty. It is the shared responsibility of the industry to ensure compliance can be met, affordably and without leaving chinks in the armoury of businesses, no matter their size.

Find out how we helped Elavon to simplify PCI compliance and deliver improved data security with Sysnet.air

To read more about our work streamlining PCI DSS programs with EVO Payments International, click here.

Discover how we helped Worldpay ensure its portfolio of SMBs are aware of the obligations and easily capable of meeting their PCI DSS compliance requirements, here.

 

Check Also

Visa Enhances Merchant Security in the Era of Digital Fraud

As the digital economy continues to grow, people are relying on virtual transactions more than …

Digital Transactions