Customer: Lloyds Bank Cardnet
Challenge: Help smaller businesses to secure their payment card data and eliminate PCI non-compliance fees.
Solution: Sysnet.air, Proactive Data Security solutions
“Our partnership with Sysnet has enabled us to achieve compliance levels that put us well ahead of our competitors.”Matt Martin Head of the Merchant Payment Security Team at Cardnet
Supporting a proactive approach to PCI compliance
Cardnet is a joint venture between Lloyds Banking Group and First Data, one of the world’s largest card processors, which makes it easy for merchants to accept card transactions online, in person or by phone.
Cardnet has been providing businesses with card payment services since 1997. It handles more than one billion transactions a year across approximately 70,000 card terminals.
The company has taken a proactive approach to payment card data security and compliance for small to medium sized merchants, making it easier for these businesses to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) via self-service or managed service options.
Cardnet has used Sysnet technology to support its compliance management programmes since 2010. In July 2017, Cardnet piloted a concierge service called Compliance Plus based on Sysnet’s Proactive Data Security (PDS) technology, initially targeted at those merchants considered at most risk.
The scope of the pilot was extended in December 2017 following positive feedback from users and after a second positive evaluation in early 2018 the decision was taken to extend the programme to the vast majority of Cardnet customers.
Helping merchants find the right solution
Matt Martin heads up the merchant payment security team at Cardnet, which has responsibility for policing, managing and driving PCI compliance for merchants and also for propagating card scheme advice, changes to the PCI DSS standard and general security notices (such as informing customers of computer viruses).
“We are obviously very mindful of the impact a payment card data breach can have on merchants so we offer a range of options to help merchants report, attain and manage their PCI DSS compliance, and consequently help ensure their payment card data environments are secure” he explains.
Merchants have three options to report and manage their PCI DSS compliance with Cardnet. Firstly, they can take responsibility for selecting the appropriate Self-Assessment Questionnaire for their needs and uploading this to the Cardnet PCI portal at no charge.
The second option is Cardnet’s chargeable online service, where profiling questions are used to determine the appropriate Self Assessment Questionnaire for the merchant’s needs and guides them through the relevant security controls required for compliance. These merchants also have access to additional information and guidance via the web site and Cardnet PCI portal.
The third option is Compliance Plus, which Matt describes as a proactive data security offering that secures key areas of risk in a prioritised way.
Limiting non-compliance a key strategy
Limiting non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) is a key strategy for Cardnet, and the initial objective of Compliance Plus was to provide assistance to those merchants considered at most risk.
As Matt observed, “Having effective data security measures in place reduces the risk of losing payment card data and benefits everyone in the payments chain”, and the programme proved so effective it was quickly extended to the vast majority of Cardnet customers.
Understanding risk in the merchant portfolio
If a merchant is non-compliant with the PCI DSS and experiences a data breach they are liable to receive significant penalties from the Card Schemes, and for smaller merchants there is a risk this could put them out of business.
In addition, data breaches also have an impact on consumers, damaging their confidence in using cards for payment.
“It is very much in our interests to help merchants help themselves and Sysnet has helped us achieve dramatic improvements in the number of data breaches we have reported which speaks directly to the improvements and effectiveness of our PCI compliance programme” observed Matt.
Approximately three quarters of Cardnet’s customer base are eligible for Compliance Plus and conversion rates to compliance within the first three months are running at around 94%. The solution is being used not just by merchants who were struggling to achieve compliance, but also by those who see the value in the additional features of the product, such as anti-virus, software patches and proactive record updating and task management.
Partnership at the heart of the compliance process
Sysnet is the face of the Cardnet brand for merchant customers in terms of their PCI DSS compliance reporting experience. There is a very close relationship between Cardnet customer services and the PCI helpdesk delivered through Sysnet, and feedback from merchants is extremely complimentary about the way the Compliance Plus product is delivered.
This reflects the lengths Cardnet goes to to ensure merchants are aware of all the options for reporting PCI compliance. “We put a lot of work into making sure Compliance Plus is correctly sold and that all the features, costs and benefits are fully explained,” adds Matt. The due diligence undertaken by Sysnet is crucial to this process.
Cardnet has found Sysnet very flexible and proactive in terms of raising awareness of possible refinements to Compliance Plus and adjusting the focus of some of the PCI elements. “Our partnership with Sysnet has enabled us to achieve compliance levels that put us well ahead of our competitors,” concludes Matt.
If you are a merchant that requires technical or PCI DSS help, please click here