How to Convince Your Clients that Compliance is More Than Checking Boxes

Merchants need to protect sensitive cardholder data, and their own businesses, by achieving and maintaining PCI compliance.


Your merchants’ businesses are at risk. As the payments world has evolved, so too has the sophistication of fraudsters. Mobile and ecommerce payments, prepaid cards, and internet-based payment services are just a few of the many payment methods that are increasingly at risk of being compromised by creative and conniving cybercriminals. Now, more than ever, merchants need to protect their customers’ sensitive cardholder data, not to mention their businesses, by achieving and maintaining PCI compliance.

As ecommerce has continued to explode, fraudsters find new and more devious ways to hack into vulnerable payment processing systems and networks. Unfortunately, the vast majority of small to mid-sized business owners believe data breaches are just something that companies like Facebook, First American, and Home Depot have to worry about. The reality is: That’s simply not the case. We all need to educate merchants that the data vulnerabilities they share with their larger competitors make their businesses susceptible to attack as well.

The PCI compliance security requirements aim to eliminate those vulnerabilities. Unfortunately, with 12 main requirements and some 300 sub-requirements, there’s a lot that goes into maintaining proper PCI compliance. It’s a confusing process, especially for small to mid-sized businesses that don’t have the time or resources to sort through mounds of confusing paperwork. As a result, many merchants remain non-compliant with PCI DSS protocols and could be liable for damages in the event they suffer a data breach. That’s on top of likely losing customer trust, and possibly damaging their reputations beyond repair.

The good news is, as a provider of integrated payment solutions, you are uniquely positioned to become a trusted resource for merchants in regards to PCI compliance, helping merchants protect their profits in the process. Of course, before offering this vital, value-added service, you’ll first need to get a handle on your own compliance situation.

Will you be storing, processing, or transmitting sensitive cardholder information? If so, you’ll need to maintain compliance as well. Teaming up with another PCI-compliant partner to offer merchants a hosted payment page? Provided the page doesn’t redirect to you, you should have the option to remain out of scope. Either way, it’s important that you make it clear to merchants which compliance requirements will be met by you as the ISV, and which the merchant will ultimately be responsible for.

While PCI compliance is quite complicated, it has three core elements that merchants must be made to understand.

  1. They are responsible for ensuring that the sensitive card information from their transactions is collected and transmitted in a secure manner, by utilizing the latest in tokenization.
  2. They must also protect any sensitive cardholder data that they store by using up-to-date, end-to-end encryption, and running regular security tests to ensure sensitive card data is secure from prying eyes.
  3. Their annual validation of compliance ensures that the necessary security controls are in place, based on how their business is accepting payments (in-store, online, and so forth).

By helping merchants understand the risks and responsibilities associated with accepting payments in today’s increasingly online world, you’ll demonstrate your added value as a trusted partner—one who is interested in helping them protect and grow their businesses.

Of course you’ll want to find the right payments technology partner yourself—preferably one with a program that can help simplify PCI DSS compliance for both you and your merchants. That way, you and your merchants will always know what PCI level their businesses are classified at, if and when scans are required, and if and when self-assessment questionnaires (SAQs) are needed. Your merchants may even be able to take advantage of breach protection that reimburses them should their PCI-compliant payment solutions be compromised.

To learn more about PCI compliance and how North American Bancard supports PCI compliance efforts, click here.


Greg Bogich is the SVP of Sales for North American Bancard (NAB). NAB and its subsidiaries are committed to making it as easy as possible for you to grow your business through innovations in credit card processing, ecommerce, mobile payments, back-end business solutions, and more.