2017 acquirer pci & security survey - macmember.org presentation - 2017... · taking program...
TRANSCRIPT
2017 Acquirer PCI & Security Survey
Webinar: February 2017
[email protected] | 678-279-2646
Chris Bucolo
© ControlScan 2017 - Confidential 2
MAC is an organization of Bankcard professionals involved in the risk management side
of Card Processing. We have members from Banks, ISOs, Card Associations and
others related to the risk management side of the industry. MAC’s mission is to
strengthen the payment ecosystem through ongoing education, communication and
cooperation among acquirers, card brands and enforcement agencies.
To learn more about MAC or to become a member of MAC
please visit the website below.
https://www.macmember.org/
© ControlScan 2017 - Confidential 3
Today’s Speaker
Chris BucoloStrategic Partnerships &
Market Strategy
© ControlScan 2017 - Confidential 4
Today’s Speaker
Kate RootSVP/Managing Director
Chesapeake Payment Systems
A division of Chesapeake Bank
© ControlScan 2017 - Confidential
Who is ControlScan?
• Established PCI QSA company with a full range
of assessment and testing services
• Senior staff with average of 6 years experience,
each performing 20+ PCI Assessments annually
• Trusted by over 150 ISO/Acquiring banks to
deliver PCI validation services to merchant
portfolios (over 1.1 million merchants in
aggregate)
• Cloud-enabled Managed Security Services
Provider
• Advanced service delivery platform delivering
best-of-breed security
CISSP • CISM • CISA • CRISC • C|EH • GPEN • Network+ • Security+ • PCIP • OSCE
5
© ControlScan 2017 - Confidential 6
• Introductions
• Background: Visa compliance initiative
• Study Objectives and Audience Profile
• Compliance levels
• What drive increased and decreased levels?
• PCI program management
• Other Key findings
• Security offerings/support needs
• The Acquirer perspective
• Recommendations for ISOs & Acquirers
• Questions?
AGENDA
© ControlScan 2017 - Confidential 7
New Visa small merchant initiatives took effect 1/31/2017
• Focus on achieving full compliance in level 4 programs
• Based on breach activity-increased pressure on third party risk- QIR
“Recent forensic investigations confirm that small merchants remain a target of hackers
attempting to compromise payment data and that there are links between improperly
installed POS applications and merchant payment data environment breaches.” Visa
Background
• Evidence Card brands will move towards risk based approach-get more
surgical- Merchants using single-use terminals without Internet connectivity are
considered low risk and do not require a QIR.
o Our Past surveys/ Recent interviews indicate little focus so far from
ISOs/Acquirers on risk approach- we expect this will change
© ControlScan 2017 - Confidential 8
Objectives
Continue to benchmark key measurements and tactics ISOs and
acquirers use for their PCI compliance programs.
Compare progress to past studies/look for new trends
Study Objectives & Audience Profile
30.1%
18.8%
11.3%
9.8%
15.8%
9.0%
5.3%
© ControlScan 2017 - Confidential 9
Portfolio Size View
How many Level 3 and 4 (small- to mid-sized) merchants do you have in your
portfolio?
22.6% 18.8%
18.0%26.3%
14.3%
© ControlScan 2017 - Confidential 10
“We will start to Track this in Q1 2017”
Overall Compliance Rates TrendHow has your portfolio compliance rate changed over the last year?
30.2%
15.6%
31.3%
13.5
%
7.3%2.1%
© ControlScan 2017 - Confidential 11
Main Drivers for Increase
To what do you attribute this increase? Response
Increased amount of merchant education 47.1%
Increased frequency of communications (calls, emails, etc.) surrounding compliance 39.7%
Increased non-compliance fees 22.1%
Initiated stricter compliance policy during new merchant onboarding 22.1%
Newly-outsourced management for our PCI compliance program 19.1%
Changed PCI compliance program partners 17.6%
Offered technology services to help merchants meet PCI requirements 13.2%
Introduced new incentives for complying 10.3%
Other 4.4%
© ControlScan 2017 - Confidential 12
Change of PCI providers
Taking program in-house
“Merchants initially compliant, but let compliance lapse”
What About Decreased Compliance Levels?
Observation: Education and ongoing communication/reminders are
critical to maintaining high compliance rates.
Observation from Acquiring Bank: Merchants in rural or smaller
geographic areas feel they “know their customers” and shouldn’t
have to go through this effort.
© ControlScan 2017 - Confidential 13
Program Management Evolution?
2014
53.6%
29.8%
11.9%
3.6% 1.2%
We have our own in-house PCI program
We use a third-party provider’s technology for the SAQ and ASV
scanning, but provide merchant support in-house
We outsource PCI compliance program, including merchant support,
to an external partner
We refer our merchants to one or more third-party
providers for PCI assistance
We leave PCI compliance entirely up to the merchant
We use a third-party provider’s technology for the SAQ and ASV
scanning, but provide merchant support in-house
We outsource PCI compliance program, including merchant support,
to an external partner
2017
56%
10%
30%
4%
We have our own in-house PCI program
Other
© ControlScan 2017 - Confidential 14
Effectiveness of Compliance Drivers
In your opinion, how effective are each of the following techniques for driving merchants to become PCI compliant? (Rank from 1-5, with 5 being “highly effective.”)
Answer Options 1 2 3 4 5 Response Count
a. Reducing or waiving PCI program fees if they comply14 9 23 19 16 81
b. Increasing non-compliance fees until they comply 9 13 20 19 21 82
c. Withholding funds until they comply 17 13 13 12 25 80
d. Threatening to terminate the merchant’s account if they
don’t comply24 12 17 14 14 81
e. Increasing the amount of merchant education
surrounding compliance3 7 26 31 16 83
f. Increasing the frequency of communications (calls,
emails, etc.) surrounding compliance3 6 20 37 17 83
g. Partnering with an external PCI compliance service
provider4 8 26 27 18 83
h. Offering technology services (e.g., P2PE, security
solutions) to simplify the compliance process4 9 26 30 14 83
© ControlScan 2017 - Confidential 15
Which Techniques Do You Use Today?
Response
Pe rcent
Response
Count
44.0% 37
39.3% 33
16.7% 14
17.9% 15
64.3% 54
63.1% 53
58.3% 49
36.9% 31
7.1% 6
c. Withholding funds until they comply
h. Offering technology services (e.g., P2PE, security solutions) to simplify the
Answer Op tions
e. Increasing the amount of merchant education surrounding compliance
b. Increasing non-compliance fees until they comply
g. Partnering with an external PCI compliance service provider
Which o f the above techniques does your o rganiza tion currently use? (Se lect a ll tha t app ly .)
d. Threatening to terminate the merchant’s account if they don’t comply
i. None of the above
a. Reducing or waiving PCI program fees if they comply
f. Increasing the frequency of communications (calls, emails, etc.) surrounding
© ControlScan 2017 - Confidential 16
How Important Are Compliance rates?
Observation from Acquiring Bank: Bank
regulators pay a lot of attention to these rates
and statistics.
© ControlScan 2017 - Confidential 17
Impact on Merchant Retention
Yes, We have lost merchants because of our
PCI compliance approach
No, our PCI compliance has not impacted
merchant retention
Yes, our PCI compliance approach has helped
us retain merchants
Observation: Consulting approach vs. negative messages?
Observation from Acquiring Bank: Competition can steal away
merchants if they make their PCI compliance methods seem
cheaper or easier to comply with.
© ControlScan 2017 - Confidential 18
Offer Security Solutions?
+ 42.6% offer point-to-point
encryption/tokenization
+ 26.5% offer security awareness
training
+ 17.6% offer network monitoring
+ 8.8% offer anti-virus protection
+ 8.8% offer managed firewall
+ 41.2% offer none of the above
2014 Survey2017 Survey
© ControlScan 2017 - Confidential 19
Frequent, electronic reminders to merchants
Provide best practices for merchants
Simplification for merchants so they do not quit
Streamlined process but do not ignore security risks
Favorite Quote: “Reporting, Advice”
Additional Support/Services From PCI Provider
© ControlScan 2017 - Confidential 20
22.6% require merchants to be PCI Compliant before boarding
In 2014 the number was 27%
Anecdotally, 90-120 days post boarding seems pretty much the norm
81.0% Charge Non-compliance fees
4% are charged quarterly
Very consistent with 2014 survey
Compliance targets for portfolios varied from a low of 40% to a high of 100%
The average of all the targets was 86.62%
In 2014 only 54% had compliance goal over 60%
$24.86 Average monthly non-compliance fees/$33.74 Quarterly fee
In 2014 only 15% charged $25 or higher per month
Other Key Findings
Observation from Acquiring Bank: No sales person
wants to complicate the closing by requiring a
compliance step, therefore they postpone until “later”.
© ControlScan 2017 - Confidential 21
The Acquirer Perspective – ISO Sponsorship
ISO Sponsor Card Brand Requirements
Ensure all ISO partners are aware of Card Brand efforts/changes/requirements
Educate and train on all changes/additions
Report on findings/results
Ensure proper categorization
“The Visa Core Rules and Visa Product and Service Rules governs the activities of client
financial institutions and, by extension, service providers and merchants as participants in
the Visa payment system”.
© ControlScan 2017 - Confidential 22
The Acquirer Sponsor Bank Requirements
“Issuers and acquirers are responsible for ensuring the PCI DSS compliance
of its service providers and merchants, including service providers the
merchant is using. A service provider and merchant must maintain full
compliance at all times. (VCR section ID #0002228 and #0008031)”
“If a service provider or merchant does not comply with the PCI DSS or fails to
rectify a security issue, Visa may assess a non-compliance assessment to the
issuer or acquirer. The issuer or acquirer is responsible for paying all
assessments and must not represent that Visa has imposed any assessment
on the service provider or merchant. (VCR section ID #0001054)”
https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html
© ControlScan 2017 - Confidential 23
An Acquirers Perspective - Own Portfolio
PCI compliance challenges
Becomes a competitive disadvantage/advantage if charging a non-compliance fee
Is audited by regulators who may not understand
Is a drag on customer service resources when attempting to aid in helping
merchants to compliance
Becomes a relationship issue when merchant is a bank customer
Is not deemed necessary in a “small town” environment
“I know all of my customers, I trust them all”…….
© ControlScan 2017 - Confidential 24
Working on re-validation efforts is huge
Promote ongoing education and frequent communications
Planning for program changes
For the Future: Identify where risk lives—address it
Recommendations For ISOs & Acquirers
© ControlScan 2017 - Confidential 26
MAC 2017 Annual Conference
March 21 – 23, 2017
SLS Hotel - Las Vegas, NV
Don’t miss the premier payments industry risk conference.
Register today at www.macmember.org
SAVE THE DATE