American Payment Systems increased compliance with the Payment Card Industry Data Security Standard among its roughly 1,200 merchant clients to 48% currently from roughly 10% Oct. 1 with a phone-call campaign, according to the Omaha, Neb.-based independent sales organization.
The ISO began the calling campaign Oct. 1 after trying a direct-mail campaign for three months that yielded less-successful results.
“When you send [merchants] a letter, it’s a passive contact that they can set aside,” but a phone call is less easy for them to ignore, says Steven Cartwright, American Payment Systems chief financial officer.
The ISO offers its merchants PCI-compliance services from ControlScan Inc., an Atlanta-based provider of PCI compliance and security products for small and midsize merchants. American Payment Systems handled the direct-mail campaign internally but used ControlScan to facilitate the phone-call campaign because the ISO could not manage it in-house.
“We have got 1,100 to 1,200 merchants and 10 employees to manage those merchants,” Cartwright says.
A phone-call campaign likely is more effective at increasing compliance rates among small merchants because “you have instant two-way communication,” says Cliff Gray, an associate and merchant-processing and product-services expert with The Strawhecker Group, an Omaha, Neb.-based consulting firm. Many small merchants believe the PCI requirements are highly technical, and they “are so scared and see an e-mail and think it is too complex. But they get a phone call and an explanation and they think they can manage it,” he says.
Gray recently consulted with another ISO that includes a PCI discussion with every telephone contact the company has with its merchants, and the ISO also has experienced a rise in compliance rates.
Overall PCI compliance rates among small merchants remain low, says Gray. The compliance rate among Level 4 merchants “has not budged for a couple of years. Optimistically, it’s maybe 10%,” he says. Visa Inc. defines Level 4 merchants as those that process less than 1 million Visa transactions annually.
Passive outreach campaigns are not very effective at boosting compliance rates, says Gray. Instead, “ISOs need to change and be more pressing,” he says. “If you really are going to be successful [at increasing PCI compliance], you have to be aggressive in reaching out to merchants.”
