by Paul Prior, SVP Client Engagement
VISA Inc, in a bulletin issued the middle of last year outlined enhancements to their PCI DSS Enforcement Plan for merchants and service providers. The plan defined a structure of escalating consequences for entities either with expired PCI DSS Compliance or those who have never demonstrated PCI DSS Compliance.
The enforcement plan is to address gaps in compliance rates, particularly among Level 1 and 2 merchants and service providers, and is positioned as:
As part of the enforcement plan Visa, Inc. began noncompliance assessments on 1st January 2015, and fines will be applied for non-compliant or overdue Level 1 and Level 2 merchants and service providers without a remediation plan.
At present with over 200 days passing since this date, many non-compliant entities and those who have not renewed their compliance in 2015, are liable to the fine structures outlined in the PCI DSS Enforcement plan.
Working with some of the top merchant acquiring companies in the world over the past number of years has given Sysnet a deep insight into how they manage the PCI DSS compliance status and associated reporting requirements.
It is our experience that many acquirers will be struggling to manage the reporting of the compliance status of these types of entities and we have identified a number of key areas that are routinely the cause of operational inefficiencies and significant administrative overhead within these organisations.
Gathering and collating data
One of the main issues is gathering and collating data. The data acquirers need to manage the compliance process and fulfil the reporting requirements is often dispersed and decentralised. Every merchant has their own unique set of demographic information, compliance data, historical activity, and validation cycle.
Given the nature of the relationship between the acquirer and these entities, communications and interactions are often funnelled through a single channel, typically represented by an individual account or relationship manager.
This creates communications challenges for the compliance manager. The process can be manual, time consuming, leads to wasteful work-practices and frequently creates an unacceptable time-lag between communication and response. The result of this is inaccurate and out-of-date reporting.
Difficulties with monitoring
In many cases the compliance manager has no way to monitor whether or not this process is functioning efficiently and a lack of centralised management of communication causes some entities to be harassed while others are not contacted at all!
While the aforementioned issues undoubtedly represent inefficiencies, they are potentially exacerbated in the event of an Account Data Compromise (ADC). Managing the incident response, forensic investigation and reporting processes associated with an ADC create a whole separate set of manual processes and administration tasks.
In driving higher compliance rates and meeting the requirements of Visa’s enforcement plan, acquirers should be analysing internal business processes that:
- provide a pragmatic approach to merchant compliance management, and in doing so reduce the likelihood of non-compliance assessments;
- increase efficacy in programme execution by facilitating high compliance rates resulting in lower risk exposure;
- reduce the time required for compliance management and administrative tasks and improve transparency, consistency and accuracy of communications and reporting.
If you are a merchant that requires technical or PCI DSS help, please click here