Payment card data security can be a challenge even for larger merchants. Confused by the scale of the technical challenge and turned off by the cost and complexity of PCI DSS compliance, many have allowed risk to grow to unacceptable levels. It’s time for acquirers to seek a new way: ditching current one-size-fits-all compliance approaches to embrace a more agile and dynamic way to manage merchant portfolio risk.
Nearly 90% of acquirers believe their merchants struggle to understand which security tools they need to keep the business and their customers protected. They are right. A similar number are also unhappy about rates of PCI compliance among their merchants. Again, they have a point.
In fact, according to Verizon: “fewer and fewer organizations are demonstrating the ability to keep a minimum baseline of security controls in place.” In the latest year for which figures are available (2019) less than 28% of global organizations achieved 100% compliance during their interim compliance validation. This is almost a nine percentage point drop from the year before.
The traditional one-size-fits-all approach to compliance remains at best a tick-box exercise for many merchants. At worst, many SMEs (Small and Medium Enterprises) don’t even engage with programs because they view compliance as an extra administrative burden they could do without — especially during a global financial crisis.
So what’s the answer? For a time, it was thought that non-compliance fines could drive changes in merchant attitudes to risk. However, even most acquirers now agree that they aren’t the answer. Compliance continues to fall, while half of UK organizations last year reported a serious breach or cyber-attack.
Can PCI portals help? Unfortunately, they’re ill-equipped to tackle the above challenges, for several reasons. Traditional PCI portals:
In short, PCI portals have failed to move with the times. Acquirers need a better way to manage risk. They need an actionable risk intelligence capability with security scoring and streamlined onboarding. A marketplace of solutions and services tailored to the specific needs of their merchants’ risk profile.
That platform exists today. ZeroRisk is to cyber security and PCI compliance what QuickBooks is to invoicing and tax reporting. With ZeroRisk there’s no need for scores of staff to manage your portfolio. Nor is there any requirement for merchants to answer questions they don’t understand or use tools they don’t need. We offer merchant portfolio risk management made simple: automated, efficient and intuitive.
Want to be a part of a revolution in PCI compliance and risk management?
The legacy snapshot of a PCI DSS SAQ will not provide the kind of continuous insight MSPs need. Instead, automated, contextualized risk assessments at scale are required.
This guest blog outlines some tips for maintaining the cyber security of your business.