This is page 2 of:
“What’s an Acquirer?” And Other Noteworthy SME Questions
Few things are more disheartening than to plan a party and invite a whole bunch of people, and then have only a few folk show up. Holding seminars and webinars aimed at telling SMEs about PCI is right up there. I’ve had many different technology companies and card processors ask me if there’s a set of issues that is more likely to put bodies in the seats than other issues.
Here are some suggestions drawn from our efforts over the past two years to add more SME focus to the PCI Knowledge Base research: First: Use case studies of real SMEs who are doing something about PCI compliance. Second, if you can’t get real companies to give you permission, use anonymous case studies. Third, don’t bother talking about the risk of a breach. Even though SMEs do get breached, the business owners don’t believe the statistics.
Again, stick with case studies. Fourth, use multimedia. The Project PCI DVD (and YouTube video) done by the Retail Service Providers Association (RSPA) that features, among other things, a tearful interview with the owner of Spanky’s restaurant, is still the most convincing argument for SME PCI compliance available anywhere.
Granted, it’s an old movie reference, but the importance of finding a new message or a new angle is critical for getting SME owners to pay attention. Since they don’t believe they are vulnerable to breaches, and the level of the current SME fines wouldn’t scare anyone, a relatively new appeal is the focus on outsourcing the whole problem. Any service or tool that can help SMEs shift as much of the compliance / security problem to a service provider is going to meet with a better reception than an appeal designed to scare the crap out of an SME owner into spending money on security technology.
The essence of the argument here is that whatever stupidity exists in the area of PCI is on the side of those (including me) who have tried to scare SME owners with threats of breaches or impress them with payment industry jargon and technical details they may not understand or draw on examples of much larger companies and their commitment to “strategic solutions.”
The key is to build empathy for the SME view by talking personally to as many as possible, then weave these discussions into whatever PCI or security message one wishes to aim at the SME market. We’d love to talk about this with SMEs or others interested in this market. For more on this, please visit the PCI Knowledge Base if you want to view our research. If you want to have a personal discussion about PCI and SME issues, just send me an E-Mail at David.Taylor@KnowPCI.com.
-Marc
July 16th, 2009 at 11:14 pm
Small to medium retailers simply aren’t interested in PCI. PCI isn’t like a tax or a fine, where you pay some amount to avoid trouble, and then it’s done. To anyone who is paying the slightest amount of attention, PCI means you’ve got to do a lot of hard work, you have to hire expensive consultants in Italian suits, you have to pay a lot of people to learn stuff, they make a lot of noise but don’t seem to accomplish much, they get in your way with security stuff when you’re just trying to run your business, and in the end you see no results other than employees blocked from doing their jobs and a very expensive filled out checklist.
A SME gets nothing tangible out of following PCI. Nothing. If you tell him he’s avoided a risk, he’ll say “staying in business is a hell of a risk, one more either way doesn’t make a difference.”
If you want people to pay attention, give them incentive. (Avoiding a $25 fine is not incentive, it’s a punchline.) Where is the “Certified secure by Visa” logo door stickers? Where is the “This institution is PCI DSS certified, Visa will insure your transactions and credit are safe and will spend up to $10,000 to help repair your credit” disclaimer that retailers can print on their receipts? Where is the insurance program that gives retailers discounts for completing their PCI DSS audits?
If Visa is mandating this but is not willing to put anything on the line, why should the retailers even listen?
July 17th, 2009 at 12:51 am
Dave Taylor replied: I couldn’t agree more, Mr or Ms “Reader.” Like the story I was telling about the head of the SME who simply couldn’t understand what all the fuss was about PCI, when all her company had to do was pay a $25 monthly fine. Her point was that if the fine is so low, PCI compliance must not be very important.
Your incentive point is also “right on.” One of the F500 retailers I did a PCI compliance plan for specifically asked their acquiring bank and Visa if they could get “PCI Compliant” stickers for all their stores once they passed their assessment, and they were told no by both the bank and Visa, supposedly because it would make them a “target” of hackers. Which is the opposite of the reasoning for putting “Secured by ADT” stickers on our homes.
July 17th, 2009 at 4:25 pm
The only kinds of incentives that can actually get any attention from a SME merchant — and guaranteed to ALWAYS do that — are something that promises a “sales lift” or “cost reduction.” And preferably both at the same time. Unfortunately, PCI mandates are pretty much the opposite of that by offering a sales decrease (time spent away from the main job) and a cost increase (new hardware, scans, monthly fees, etc.) With such a resounding absence of carrots, it’s amazing we have gotten anywhere at all with them.