We all know the "Blame Game." We were introduced to it as a child. It typically involves breaking, spilling, or loosing something that your mother didn't want you tinkering with in the first place. The game changes as we get older - our arguments get stronger but we still pass the blame.
Here are some classic responses we've either said - or heard - at one time or another:
• "(Name) did it."
• "It wouldn't have happened if (Name) did (Desired Action)."
• "It's not my fault."
As a result, today our society could be defined as a litigious one. People are quick to sue and claim that they shouldn't be held accountable and that it's someone else's fault that something bad happened.
Merchants are no different because of the pressures they face, especially with the varying changes in regulation and the economy over the past few years. There are all sorts of opportunities for errors and finger pointing.
One area that is very important is maintaining data security, PCI DSS compliance. Vulnerabilities can be created from careless actions, and vulnerabilities can result in a breach, as well as hefty fines, penalties and more.
When this happens, it's likely that the merchant is going to look outside of his business for someone to blame. And when he thinks he's found that someone, a lawsuit could be the next thing to follow.
To protect themselves and their merchant customers, most payment processors will insist on the completion of a PCI compliance assessment. The processor then reviews the assessment to identify merchants whose actions may put them at risk for a compromise. This helps keep the blame at bay but its not the best.
It's common for ISOs to want to provide the best possible service to their merchants and they may want to complete the self-assessment questionnaires (SAQs) on behalf of their merchant.
What happens if, for some reason, a merchant is then breached? If it is determined that the merchant was not PCI compliant and the questionnaire was not completed accurately, who will the merchant blame? It was the ISO who helped them complete their PCI compliance assessment, of course.
PCI DSS compliance and data security are very important, but processors shouldn't put ISOs in the middle of their approach. That isn't their job, and frankly, they shouldn't be expected to be a PCI compliance expert. Also, remember that why one of the best way to avoid this Blame Game is a self-assessment questionnaire, designed to be taken by merchants because they know the details of their operation best.
So what's the solution?
At Clearent, we use an online questionnaire, designed to be completed by the merchant to assist with PCI DSS compliance. We believe it shouldn't be part of the application process, but rather part of the support your payment processor provides to your merchants. And it shouldn't come with a cost to complete.
It's a simple approach, but one that any ISO today with the desire to grow should appreciate. That way if a breach should ever happen, you can easily say, "It wasn't me. I wasn't even involved." - and truly mean it. Otherwise, it may be prudent to have an attorney on retainer.
No comments:
Post a Comment