Creating a successful merchant PCI DSS compliance management programme

Creating a successful merchant PCI DSS compliance management programme


Download your free eBook now so you can read later when you have more time!




The Payment Card Industry Data Security Standard (PCI DSS), while undoubtedly benefitting both merchants and payment card holders, places significant demands on the resources of many


Most people involved in risk and compliance within the payments industry recognise these benefits; nevertheless running a merchant PCI DSS compliance management programme can be a
daunting task.


What is success?

A successful compliance programme addresses as much of the merchant portfolio as possible, reduces the risk of payment card data compromise (and associated fraud) and helps merchants protect their customers’ sensitive data – without driving attrition.


However, if an acquirer gets it wrong, a poorly run programme can be quite damaging to their merchant relationships to the point it actually becomes a driver of attrition.


Many acquirers already have active PCI DSS compliance programmes but how many of them could consider their programme a success? In many cases existing programmes are stagnant with low engagement rates and even lower compliance rates, so how do you address this lack of momentum?


Creating a successful merchant PCI DSS compliance management programme | Helpful Advice

1. Take responsibility
We would suggest that engagement rates are driven by a number of different factors and that the most appropriate mechanism represents a combined carrot and stick approach. It is vitally important that merchants understand both the value of PCI DSS compliance to their business and their acquirer’s commitment to compliance and to helping them through the process.


Brand loyalty is about perception, it is vital that merchants perceive their acquirer as someone who wants to help them, not just in meeting compliance, but also in becoming a stronger performing business. If merchants feel that their acquirer has passed the buck by handing off responsibility and forcing them to use a particular third party vendor, they will be less likely to participate.


On the other hand, if the programme looks, feels and sounds like their acquirer, they are more likely to take note, to engage with the programme and complete the process.


It is important that acquirers take responsibility for not only the messages that they are conveying to their merchants but also for the motivation and execution of said programme. This means more than simply charging fees for non-compliance and includes committing to all of the aspects that will support the merchant in improving data security across the entire industry.


2. Communicate appropriately
If you don’t regularly engage with your merchants, reminding them of what they need to do and how, the aforementioned stagnation is almost a forgone conclusion. Persistent communications with consistent messages are fundamental to this engagement.


To be successful, a compliance programme needs to be supported by multiple communication channels including phone support, online chat, mail, email and outbound call campaigns when required.


Online resources including webinars, videos, whitepapers etc. also help the merchant to help themselves, making this content available at the right point in the process gives them confidence to proceed when otherwise they might have given up.


Communicate with your merchants clearly and regularly, this reinforces your message, keeps it fresh and encourages merchants to action.


Creating a successful merchant PCI DSS compliance management programme | Helpful Advice

3. Make it relevant
All too often merchants are left feeling that their acquirer has made no effort to make the PCI DSS compliance process relevant to their business and has simply left them to figure it out on their own.


Be able to answer “Why?”, Why do I have to do this? Why is it relevant to my business? Why does PCI DSS even exist?”. Better still; explain this to your merchants before they ask the question by making your communications efforts relevant to their own situation.


Despite your best efforts, a programme of this nature that attempts to communicate concepts that are often unfamiliar to the merchant or tangential to their business the core message is too often ignored. Relevance is key.


Many recent example of data breaches in the payments industry point to the fact that no one is safe and less so those that do not even do the minimum required by the industry itself to safeguard payment card data and systems.


Simplify the process, overly complex software solutions and business processed will deter the merchant. Make it as easy as possible to do what they need to do both for their business and for you as their acquirer.


Help merchants to relate the cost of compliance to the business value, to understand how the level of risk that they are inadvertently exposing their business to is directly proportional to their efforts in respect to data security.


4. Provide support
If merchants don’t understand what is being asked of them they cannot be expected to complete the process. It is fair to say that most merchants need help with the PCI DSS and very often want
it; however in many cases their acquirers don’t provide a level of assistance that facilitates the compliance journey.


While it is true that most third party vendors can provide support services, are you really sure that they are working to the same business objectives as your organisation?


Once your programme is truly active, be prepared to deal with significant numbers of queries and questions about both it and the PCI DSS in general.


Oscar Wilde once said “The only thing worse than being talked about is not being talked about” and in this context this maxim holds true. If merchants are asking questions, the message is getting through – they are learning about the importance of data security, and as a result are more likely they to engage and complete their compliance assessments.


Dealing efficiently and politely with merchant questions gives the merchant confidence in your knowledge and resolve and each interaction provides an additional opportunity to educate your
merchants and reinforce your relationship with your customers.


Providing multiple support channels not only makes this support more accessible to your customers but also maximises this opportunity.


Webpage URL

Find out more about our Cyber Security and Compliance Solutions

Request a Callback


Once a programme begins to succeed, what then?

Once you get your merchants engaged in your programme, you now have a captive audience that will at the very least interact with you on an annual basis. You need to make sure that you are constantly reinvigorating your programme by refreshing your communications and creating meaningful interactions.


Ensure that you provide your merchants with information, support, and solutions that are relevant to their business sector, solve their specific problems, or enable them to do better business more securely.


While the primary goals of these programmes are typically to help merchants through the PCI DSS compliance process and to meet card scheme compliance reporting requirements, there may also be additional benefits to be gleaned from a well-managed programme.


If successful, a programme like this can be used to strengthen your customer relationships, promote your organisation as a strategic partner and increase brand equity reducing the risk of attrition.


Sysnet Global Solutions provide payment card industry, cyber security and compliance solutions that help businesses to improve security and acquiring organisations to reduce risk. Specialising in data security and PCI DSS compliance validation solutions, Sysnet offers a range of services includes its award-winning, proprietary, cyber security and compliance management solution Sysnet.air™. Our next generation compliance and security programmes provide a complete managed service that removes all of the compliance and security heavy lifting from small and medium sized businesses. We would be happy to identify a programme that best suits your business objectives.

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms