Besides making the process easier for merchants, a good payment-security vendor can ease the burden of Payment Card Industry data-security standards compliance for independent sales organizations, a growing number of ISOs are finding.
If necessary, vendors can scan merchants’ payment-processing systems for weaknesses hackers could exploit to steal cardholder data and make fraudulent purchases. Once vendors detect those vulnerabilities they can help merchants fix them.
Moreover, they can field phone calls from puzzled or irate merchants, according to Henry Helgeson, co-CEO of Merchant Warehouse Inc., a Boston-based ISO whose vendor is ControlScan Inc., an Alpharetta, Ga.-based security firm.
ControlScan frees the 40 Merchant Warehouse contact center employees to deal with customer-service calls and e-mails instead of trying to sort out compliance issues the contact center employees find confusing or too technical, Helgeson says.
Ridding the contact center staff of PCI calls constitutes a human resources issue, he says. “You want to retain quality people,” Helgeson says. “You don’t want people leaving because somebody doesn’t understand” the self-assessment questionnaire smaller merchants are required to complete as part of their compliance-certification process.
At Granite Payment Alliance LLC, a Roseville, Calif.-based ISO, Brenda Pacheco, vice president and operations manager, also wants to keep her eight-employee contact center focused on customer service and free of overly technical PCI calls. Her employees feel comfortable answering PCI calls from merchants using dial-up terminals, but they refer calls from Internet-oriented retailers to ControlScan.
Besides deflecting complicated incoming calls to sources more knowledgeable in technical matters, vendors can make outgoing calls to merchants to nudge them to take the next step toward compliance.
Pacheco and Helgeson both depend on vendors to take that initiative.
At Merchant Warehouse, ControlScan calls merchants with the highest risk of data compromise–those that make frequent transactions over with Internet, Helgeson says. The group represents about 5% of the ISO’s merchant portfolio, he says.
Having the vendor initiate the contact helps shield the ISO from negative reactions merchants might have to the call, Helgeson says. As far as the merchant is concerned, the vendor–not the ISO–is making contact, he says.
In most cases, however, merchants appreciate the vendor outreach, Helgeson says. “It’s even created a little bit of stickiness with our merchants because here we are going above and beyond to protect them,” he notes.
As for the technical side of scanning, however, ISOs do not need to worry too much when choosing a scanning vendor, according Brad Caldwell, CEO of SecurityMetrics Inc., an Orem, Utah–based payments security vendor. The PCI Security Standards Council designates companies as approved scanning vendors, he notes.
