Merry Christmas, I know the season has passed already, but given the recent massive data thefts that have occurred at various retailers, and the misery this has caused both their customers and them, I thought, why not try to cheer everybody up a bit.
Besides, I needed a nice segue from what is, arguably, one of the most important stories to pop-up recently, to some questions every retailer must ask and answer about transactional security and how much money they are spending on marketing and then blowing on poor security.
Are You PCI-DSS Compliant?
But wait, you say, didn’t I title this blog PCI-DSS something or other?
As a consumer, and we are all ultimately, consumers, I never even heard of PCI-DSS until about six months ago, when I ran a SAP Greenfield implementation at a major retailer in Europe.
So what does PCI-DSS stand for and why might you, a consumer, want to know about it? It stands for Payment Card Industry Data Security Standard and if you have a credit card issued in Europe, you most likely have a chip in your card, whereas, if you have one issued here in the U.S., it probably does not, though there are a few issuers who use them.
I asked one of my Senior SAP FICO consultant buddies why this is and he explained the following to me:
Are you aware of Liability Shift?
"(Chip and PIN's) main attraction to banks is the 'liability shift,' which is precluded in the U.S. by Regulation E,"
"This shift means that disputed transactions will be blamed on the customer if a PIN was used and the merchant otherwise took every prescribed security precaution. Thus, in theory, the bank would never again be liable.
In practice, it has not worked. You can't have a secure system if one party guards it and another party pays the cost of failure.“
This "liability shift" has been a "good incentive'" for merchants to adopt chip and PIN.
Such a shift isn't possible in the U.S. because of rules set up under the Electronic Fund Transfer Act of 1978.
This is probably good news for U.S. consumers, since the standard was fully adopted, it's been next to impossible for British consumers to recover money stolen in fraud.”
That last little tidbit, is, to me, of critical importance, having been a victim of Credit Card fraud in the past in the U.S. and ultimately having been made whole by my card issuer.
The marketing opportunity here is for a retailer to make it perfectly clear to a consumer that in addition to taking all possible technical security measures possible to secure their payment processing system, they will ALWAYS make their customers whole in the event of a data breach.
As an Inbound Marketer, I could see several possible pieces of content one might want to generate and reuse constantly to assure consumers that their credit card/debit cards are safe to use in the stores:
- Define what security standards are required to be met by the store, and prove, and reprove that the retailer meets these standards.
- Though not all that exciting, communicate to the consumer each time you pass a security audit of your PCI-DSS.
- Go well beyond European standards for the protection of personal data, and make sure every consumer is aware of exactly what data is being stored by the retailer, and allow them the opportunity to correct or delete it at any time, at no cost.
- As almost every retailer, indeed, anybody that sells anything, is moving toward a loyalty management system, and by extension, is collecting massive amounts of personal data, then the previous statement becomes even more critical to accomplish.
In the name of transparency, and this is not easy, show where the consumer’s data is actually used in your system, and this goes well beyond the marketing function.
It touches logistics and finance in a wide variety of areas you might not initially think about.
- Provide complete transparency to consumers on every party that will touch the credit card transaction, including the bank and payment gateway provider.
- When a retailer uses more than one payment gateway provider or bank, if there is a savings, (that is why they have more than one), then provide some of those savings to the consumer.
Use this to inform the consumer, i.e., one more opportunity to communicate.
Though highly unlikely, should consumers lose confidence in the security of their credit cards, they will revert to cash only transactions.
Most people believe this is cheaper than a credit card transaction to the vendor, but, as most any large retailer will tell you, that may not be the case, at all.
For instance, if your store is doing 1 million a day in transactions, and 10% of those transactions are in cash, you are handling $100,000.00 of cash, which has to be counted, audited, secured and transported.
Each of those steps has a cost, and they all take far longer to accomplish than an electronic transaction.
Now imagine, tomorrow, that ratio is reversed, and you are doing $900,000.00 in cash transactions and $100,000.00 in credit card transactions.
Your logistics cost just went up, your risk of armed robbery during transport just went up (and your cost of security went up, no doubt), and your ability to squeeze the payment gateway provider commission rate just went way down.
You also now have consumers who are lot less likely to make purchases as they don’t have access to cash so easily.
In short, these massive data thefts are threat to the economy at the systemic level and may drive your marketing cost way up.
That is why you need to not get PCI-DSS and EMV compliant, you need to have a marketing approach that leverages your efforts to secure those transactions at the lowest possible cost. You can start by learning more about Inbound Marketing and how it can help you boost customer satisfaction, especially by providing content that reassures consumers that their Credit Card transaction conducted with your establishment are secure and does not result in any liability being shifted to them.