2017 Acquirer PCI & Security Survey

Webinar: February 2017

cbucolo@controlscan.com | 678-279-2646

Chris Bucolo

© ControlScan 2017 - Confidential 2

MAC is an organization of Bankcard professionals involved in the risk management side

of Card Processing. We have members from Banks, ISOs, Card Associations and

others related to the risk management side of the industry. MAC’s mission is to

strengthen the payment ecosystem through ongoing education, communication and

cooperation among acquirers, card brands and enforcement agencies.

To learn more about MAC or to become a member of MAC

please visit the website below.

https://www.macmember.org/

© ControlScan 2017 - Confidential 3

Today’s Speaker

Chris BucoloStrategic Partnerships &

Market Strategy

© ControlScan 2017 - Confidential 4

Today’s Speaker

Kate RootSVP/Managing Director

Chesapeake Payment Systems

A division of Chesapeake Bank

© ControlScan 2017 - Confidential

Who is ControlScan?

• Established PCI QSA company with a full range

of assessment and testing services

• Senior staff with average of 6 years experience,

each performing 20+ PCI Assessments annually

• Trusted by over 150 ISO/Acquiring banks to

deliver PCI validation services to merchant

portfolios (over 1.1 million merchants in

aggregate)

• Cloud-enabled Managed Security Services

Provider

• Advanced service delivery platform delivering

best-of-breed security

CISSP • CISM • CISA • CRISC • C|EH • GPEN • Network+ • Security+ • PCIP • OSCE

5

© ControlScan 2017 - Confidential 6

• Introductions

• Background: Visa compliance initiative

• Study Objectives and Audience Profile

• Compliance levels

• What drive increased and decreased levels?

• PCI program management

• Other Key findings

• Security offerings/support needs

• The Acquirer perspective

• Recommendations for ISOs & Acquirers

• Questions?

AGENDA

© ControlScan 2017 - Confidential 7

New Visa small merchant initiatives took effect 1/31/2017

• Focus on achieving full compliance in level 4 programs

• Based on breach activity-increased pressure on third party risk- QIR

“Recent forensic investigations confirm that small merchants remain a target of hackers

attempting to compromise payment data and that there are links between improperly

installed POS applications and merchant payment data environment breaches.” Visa

Background

• Evidence Card brands will move towards risk based approach-get more

surgical- Merchants using single-use terminals without Internet connectivity are

considered low risk and do not require a QIR.

o Our Past surveys/ Recent interviews indicate little focus so far from

ISOs/Acquirers on risk approach- we expect this will change

© ControlScan 2017 - Confidential 8

Objectives

Continue to benchmark key measurements and tactics ISOs and

acquirers use for their PCI compliance programs.

Compare progress to past studies/look for new trends

Study Objectives & Audience Profile

30.1%

18.8%

11.3%

9.8%

15.8%

9.0%

5.3%

© ControlScan 2017 - Confidential 9

Portfolio Size View

How many Level 3 and 4 (small- to mid-sized) merchants do you have in your

portfolio?

22.6% 18.8%

18.0%26.3%

14.3%

© ControlScan 2017 - Confidential 10

“We will start to Track this in Q1 2017”

Overall Compliance Rates TrendHow has your portfolio compliance rate changed over the last year?

30.2%

15.6%

31.3%

13.5

%

7.3%2.1%

© ControlScan 2017 - Confidential 11

Main Drivers for Increase

To what do you attribute this increase? Response

Increased amount of merchant education 47.1%

Increased frequency of communications (calls, emails, etc.) surrounding compliance 39.7%

Increased non-compliance fees 22.1%

Initiated stricter compliance policy during new merchant onboarding 22.1%

Newly-outsourced management for our PCI compliance program 19.1%

Changed PCI compliance program partners 17.6%

Offered technology services to help merchants meet PCI requirements 13.2%

Introduced new incentives for complying 10.3%

Other 4.4%

© ControlScan 2017 - Confidential 12

Change of PCI providers

Taking program in-house

“Merchants initially compliant, but let compliance lapse”

What About Decreased Compliance Levels?

Observation: Education and ongoing communication/reminders are

critical to maintaining high compliance rates.

Observation from Acquiring Bank: Merchants in rural or smaller

geographic areas feel they “know their customers” and shouldn’t

have to go through this effort.

© ControlScan 2017 - Confidential 13

Program Management Evolution?

2014

53.6%

29.8%

11.9%

3.6% 1.2%

We have our own in-house PCI program

We use a third-party provider’s technology for the SAQ and ASV

scanning, but provide merchant support in-house

We outsource PCI compliance program, including merchant support,

to an external partner

We refer our merchants to one or more third-party

providers for PCI assistance

We leave PCI compliance entirely up to the merchant

We use a third-party provider’s technology for the SAQ and ASV

scanning, but provide merchant support in-house

We outsource PCI compliance program, including merchant support,

to an external partner

2017

56%

10%

30%

4%

We have our own in-house PCI program

Other

© ControlScan 2017 - Confidential 14

Effectiveness of Compliance Drivers

In your opinion, how effective are each of the following techniques for driving merchants to become PCI compliant? (Rank from 1-5, with 5 being “highly effective.”)

Answer Options 1 2 3 4 5 Response Count

a. Reducing or waiving PCI program fees if they comply14 9 23 19 16 81

b. Increasing non-compliance fees until they comply 9 13 20 19 21 82

c. Withholding funds until they comply 17 13 13 12 25 80

d. Threatening to terminate the merchant’s account if they

don’t comply24 12 17 14 14 81

e. Increasing the amount of merchant education

surrounding compliance3 7 26 31 16 83

f. Increasing the frequency of communications (calls,

emails, etc.) surrounding compliance3 6 20 37 17 83

g. Partnering with an external PCI compliance service

provider4 8 26 27 18 83

h. Offering technology services (e.g., P2PE, security

solutions) to simplify the compliance process4 9 26 30 14 83

© ControlScan 2017 - Confidential 15

Which Techniques Do You Use Today?

Response

Pe rcent

Response

Count

44.0% 37

39.3% 33

16.7% 14

17.9% 15

64.3% 54

63.1% 53

58.3% 49

36.9% 31

7.1% 6

c. Withholding funds until they comply

h. Offering technology services (e.g., P2PE, security solutions) to simplify the

Answer Op tions

e. Increasing the amount of merchant education surrounding compliance

b. Increasing non-compliance fees until they comply

g. Partnering with an external PCI compliance service provider

Which o f the above techniques does your o rganiza tion currently use? (Se lect a ll tha t app ly .)

d. Threatening to terminate the merchant’s account if they don’t comply

i. None of the above

a. Reducing or waiving PCI program fees if they comply

f. Increasing the frequency of communications (calls, emails, etc.) surrounding

© ControlScan 2017 - Confidential 16

How Important Are Compliance rates?

Observation from Acquiring Bank: Bank

regulators pay a lot of attention to these rates

and statistics.

© ControlScan 2017 - Confidential 17

Impact on Merchant Retention

Yes, We have lost merchants because of our

PCI compliance approach

No, our PCI compliance has not impacted

merchant retention

Yes, our PCI compliance approach has helped

us retain merchants

Observation: Consulting approach vs. negative messages?

Observation from Acquiring Bank: Competition can steal away

merchants if they make their PCI compliance methods seem

cheaper or easier to comply with.

© ControlScan 2017 - Confidential 18

Offer Security Solutions?

+ 42.6% offer point-to-point

encryption/tokenization

+ 26.5% offer security awareness

training

+ 17.6% offer network monitoring

+ 8.8% offer anti-virus protection

+ 8.8% offer managed firewall

+ 41.2% offer none of the above

2014 Survey2017 Survey

© ControlScan 2017 - Confidential 19

Frequent, electronic reminders to merchants

Provide best practices for merchants

Simplification for merchants so they do not quit

Streamlined process but do not ignore security risks

Favorite Quote: “Reporting, Advice”

Additional Support/Services From PCI Provider

© ControlScan 2017 - Confidential 20

22.6% require merchants to be PCI Compliant before boarding

In 2014 the number was 27%

Anecdotally, 90-120 days post boarding seems pretty much the norm

81.0% Charge Non-compliance fees

4% are charged quarterly

Very consistent with 2014 survey

Compliance targets for portfolios varied from a low of 40% to a high of 100%

The average of all the targets was 86.62%

In 2014 only 54% had compliance goal over 60%

$24.86 Average monthly non-compliance fees/$33.74 Quarterly fee

In 2014 only 15% charged $25 or higher per month

Other Key Findings

Observation from Acquiring Bank: No sales person

wants to complicate the closing by requiring a

compliance step, therefore they postpone until “later”.

© ControlScan 2017 - Confidential 21

The Acquirer Perspective – ISO Sponsorship

ISO Sponsor Card Brand Requirements

Ensure all ISO partners are aware of Card Brand efforts/changes/requirements

Educate and train on all changes/additions

Report on findings/results

Ensure proper categorization

“The Visa Core Rules and Visa Product and Service Rules governs the activities of client

financial institutions and, by extension, service providers and merchants as participants in

the Visa payment system”.

© ControlScan 2017 - Confidential 22

The Acquirer Sponsor Bank Requirements

“Issuers and acquirers are responsible for ensuring the PCI DSS compliance

of its service providers and merchants, including service providers the

merchant is using. A service provider and merchant must maintain full

compliance at all times. (VCR section ID #0002228 and #0008031)”

“If a service provider or merchant does not comply with the PCI DSS or fails to

rectify a security issue, Visa may assess a non-compliance assessment to the

issuer or acquirer. The issuer or acquirer is responsible for paying all

assessments and must not represent that Visa has imposed any assessment

on the service provider or merchant. (VCR section ID #0001054)”

https://usa.visa.com/partner-with-us/pci-dss-compliance-information.html

© ControlScan 2017 - Confidential 23

An Acquirers Perspective - Own Portfolio

PCI compliance challenges

Becomes a competitive disadvantage/advantage if charging a non-compliance fee

Is audited by regulators who may not understand

Is a drag on customer service resources when attempting to aid in helping

merchants to compliance

Becomes a relationship issue when merchant is a bank customer

Is not deemed necessary in a “small town” environment

“I know all of my customers, I trust them all”…….

© ControlScan 2017 - Confidential 24

Working on re-validation efforts is huge

Promote ongoing education and frequent communications

Planning for program changes

For the Future: Identify where risk lives—address it

Recommendations For ISOs & Acquirers

Please submit your question via the Questions box on your screen.

Questions?

© ControlScan 2017 - Confidential 26

MAC 2017 Annual Conference

March 21 – 23, 2017

SLS Hotel - Las Vegas, NV

Don’t miss the premier payments industry risk conference.

Register today at www.macmember.org

SAVE THE DATE