For many organizations attesting PCI compliance through the Self-Assessment Questionnaire (SAQ) process, the annual cycle begins by requesting each merchant and/or department that handles payment cards complete their assigned SAQ. This allows the organization to ensure each merchant is responsible for the listed requirements based on their specific payment processes and gain an overall picture of their current compliance status.
However, depending on the number of merchants within the organization and the complexities of their environments, helping these departments understand that PCI is, or should be, a priority for them can be difficult. And as you know, your organization is only as compliant as your least compliant merchant, so just one “No” on a merchant SAQ can place the entire organization on the non-compliant list.
This can be somewhat frustrating for the PCI Team. Short of flat out bribery or taking away a department’s ability to accept payment cards, what can you do to get those unwilling departments to fulfill their responsibilities? Below are several strategies for motivating those departments that are slow to answer your compliance requests:
Even though it may feel like it, most managers aren’t deliberately ignoring your requests. It is more likely that they don’t understand what is being asked of them and the importance of their participation. Before you reach out to a department and ask them to document their compliance using an SAQ, be sure to provide them with the background of the annual compliance process and the individual role they play. It will help if they have a basic understanding of the PCI DSS, why it exists, who it affects, and what can happen if the organization fails to meet the requirements. By making staff are aware of not only what they need to do, but why you are asking them to do it, there will be less push back. On a side note: it is also important to make sure you have the right point of contact so this preparatory discussion will help you confirm that you do.
Training and Guidance
If this is the first year your organization is attesting compliance, your merchants will definitely need some hand-holding. You may want to offer a training session on SAQs and invite department managers to attend the workshop. During the training, you can walk through the different sections of the SAQ and explain how they should be answering each question. Getting together in this manner allows them to ask questions on the areas they may be confused by and allows you to offer assistance as they make their way through the questions.
A Team Effort
Your PCI compliance status is a sum of the status of all your merchants, so make sure they know you are all working together as one team. Help them to see that the SAQ isn’t an evaluation of how they are doing their job, and they aren’t going to get in trouble for not having something in place. Explain that this is an opportunity for the organization to identify any potential gaps and fix them before any weaknesses are exploited. Lastly, remind them that you are available to help them and can provide additional resources if they need them.
A Staggered Approach
It may be helpful to just let merchants get their feet wet at first, before you ask them to dive into PCI compliance. Without any prior experience, filling out an SAQ can be confusing, and you definitely don’t want merchants just checking YES to get it over with if they don’t, in fact, have the necessary controls in place. We have seen success in using a staggered approach to getting the SAQs completed. In year one, the PCI Team sets up interviews with each of the merchants to review the SAQ together but then have the PCI Team member complete the SAQ on behalf of the merchant. The following year, the PCI Team member and merchant get back together but this time the PCI Team member is assisting as the merchant actually completes the SAQ. The PCI Team member is present and available so they can help with any questions along the way. Finally, by year 3, the merchant is very familiar with the form and able to complete most, if not all of the questions, on their own.
Set Goals and Timelines
Sure, it would be nice if you could send a simple e-mail request to department managers on Monday asking them to complete their SAQs and, by that afternoon, they had all jumped right on it. In reality, most will push a task like this to the bottom of their to-do list unless there are clearly defined dates they must abide by. Be sure to allow them adequate time to complete your request and be mindful of their current workload. For example, you know that the end of the fiscal year is an extremely busy time for the Finance department, so make sure they know you are aware of this and that you are willing to work with them on their completion date. Give them enough warning so they can shift priorities, if needed, and have sufficient time to complete the SAQ. Keep in mind that there may be questions they cannot answer right away so allow them time to research the correct/accurate response.
Keep in mind, however, that by providing too large of a window, many will fail to see the urgency and continue to put it off. You know what works for your organization so take a balanced approach. Also, if you don’t have all merchants complete their SAQ at the same time, consider at least keeping to the same timeframe for each group. This way they will know when to expect your email request and may even reach out to you if they don’t get it (don’t laugh – it’s happened!).
Are you able to easily track SAQ completions? Can you see what requirements have been fulfilled and which areas are still lacking? Administrative oversight of your organization’s PCI project is important and being able to quickly see where you are in the process can go a long way if you are working against remediation timelines and goals. Ensure that your PCI Team has the tools needed to monitor progress on an ongoing basis, so they can reach out to areas that have not completed their requirements or may need additional assistance. Following up with the merchants reminds them that you are there to help and also re-emphasizes that you are monitoring their progress.
Having executive level support for PCI compliance is also a must. Without it, some department managers may see your request as simply a suggestion that has no leadership backing and push it aside. However, if they see that the CIO has mandated their participation, they may be a little quicker to comply. Consider engaging with your senior management team prior to the start of your annual cycle and have the initial merchant engagement email come from them. There will be no question as to their support of the initiative if the message has their letterhead on it!
Standardization of Processes
Everywhere you can, try to implement standardized payment acceptance solutions which include policies, processes, procedures, training, and technology. These bundled packages will to help simplify your scope and reduce oversight efforts. For example, if you know all e-commerce merchants are using the same e-commerce web server that is managed by the central IT staff, you can ensure all requirements for logging, anti-virus, file integrity management, etc. are all being met and there is no need to find out from each department how they are meeting those obligations. The same goes for the departmental policies; if you can provide a standard template to the department managers and then allow them to customize the procedures to include any specific processes they have, this will be much more palatable to them than asking them to create a procedure from scratch.
Ask for Feedback
There is always room for improvement. Each year, following your annual SAQ process, it is a good idea to reach out to your merchants and find out how you can make things easier for everyone going forward. Did you have the appropriate point of contact? If not, how can you stay in touch so as to avoid that next year? Did you provide them enough time to complete the SAQ? If they didn’t have enough time, should you work together to switch up the timing of their annual cycle? Did they know who to reach out to with questions? By involving merchants in the process, you create a collaborative environment, you may uncover some great suggestions, and ultimately save both parties a lot of headaches in the future.
Patience (and Persistence) is Key
As with any new initiative, progress may be slow initially. You may have to reach out with several reminders, and dare I say, nag a few people. But if you are persistent, eventually PCI will become part of the organization’s standard business process, and merchants will become accustomed to fulfilling their responsibilities.
Below is some additional advice from our Security Advisor Team:
[Gilmore]: The SAQ reporting process is how merchants show their compliance and define the security controls they have in place. Throughout this process, cooperation between the merchants and the administrative team is key.
A school recently told me that the way they convey the importance of being secure and meeting the PCI DSS requirements is by encouraging their team to put themselves in the shoes of the customer. Students, parents, and other customers trust that you, the merchant, will handle their sensitive data with care and protect it from those with a malicious purpose. Keeping this in mind can help ensure that data security is a day to day, business as usual process.
Providing a central location for all parties to access templates, ask questions, submit documentation, and most importantly, answer the SAQs, is very helpful. This resource, backed by active support from the PCI Team leads to a much better response rate and more accurate answers. And at the end of the day, isn’t that what we are after?
Do you have other strategies you have implemented successfully within your organization? If so, we want to hear them! Please share your successes with us!