Learn these psychological keys to merchant motivation. 

By: David Meyers
Most merchants and their acquirers are as excited about Payment Card Industry Data Security Standard compliance as they are about getting their car registered at the DMV. Nobody enjoys sitting for (what seems like) hours at the DMV, but the task is necessary to be a responsible vehicle owner. While most small business owners have heard of or even attempted PCI DSS compliance, they may not recognize its importance or the security risks that come from noncompliance. In short, they have no motivation to comply.

But things have changed.

Between the release of PCI DSS 3.2 and Visa expanding its PCI DSS validation program to include level 4 merchants, you can’t afford for your merchants to be non-compliant anymore.

Two deadlines have been set by Visa to motivate acquirers to get merchants compliant:
  • January 31, 2017: acquirers must ensure their Level 4 merchants validate full PCI DSS compliance annually.
  • January 31, 2017: acquirers must ensure all existing L4 merchants use PCI certified QIR professionals.
It is now every acquirer’s responsibility to get every last merchant PCI DSS compliant, no matter how small.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Why do merchants lack PCI DSS motivation?

Before we look into how to get your merchants on the PCI compliance fast track, let’s question why they lack motivation. Merchants have plenty of reasons not to be PCI DSS compliant, but these appear to be their main excuses:
  • It’s a change from what they’re used to: People don’t hate change. They hate the chaos that comes with it. Moving from the way things are to an uncertain future means pain, new technology, uncertainty, fear, additional work, and changing responsibilities. 
  • It costs money: For L4 merchants, new security technology could end in massive expenditure. Why would they spend more money for something (they mistakenly believe) will make virtually no difference?
  • They don’t have time: Maintaining data security takes time away from actually selling and interacting with customers. Merchants are busy and push PCI DSS off for “more important tasks.”
  • They don’t understand PCI requirements: The PCI DSS is extremely technical, especially for merchants with no previous technical education. If a merchant doesn’t understand it, they won’t do it.

Three successful ways to motivate merchants 

As you dive deeper into why merchants don’t comply, take a step back and realize your merchants are, well, human. Psychology teaches of a handful of basic emotions that motivate humans.

Take a look at the three emotions I’ve chosen that apply to the merchant PCI DSS motivation situation, and how you can use them to get merchants excited about PCI DSS.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Safety/pain avoidance
A feeling of true safety only happens if you feel free from emotional or physical harm. Merchants feel safe if they know their business will turn a profit year after year.

Think about PCI DSS from a merchant’s perspective. If a merchant has had an account with you for 16 years, and all of a sudden you force them into PCI compliance, that doesn’t exactly create a feeling of safety.
Solid merchant communication is key to understanding security motivation.
Lack of communication promotes uncertainty, which breeds fear. Take the time to educate just how devastating security breaches are and why L4 merchants are targeted by criminals. Share the security benefits of PCI DSS compliance.

Marketing PCI as a security blanket instead of a must-do will help merchants feel like the standard is protecting their business and profits. If you can explain how you’ll minimize the chaos and dial down the intensity of the change from non-compliant to compliant, you’ll have greater success convincing merchants to care about the PCI DSS.

For greatest success, over-communicate. Clarify new roles and responsibilities, show them what they are accountable for, and explain any new policies. Send emails, use social media, upload new security information on your website, and host monthly security webinars. Introduce educational PCI videos into new merchant onboarding processes to set the stage for your expectations.

Some human behavior is motivated by a desire for reinforcement or incentives. Understand that not all incentives are created equal. Whether the carrot is a prize, money, or recognition, this approach will take a bit of testing to see what your merchants respond to.

Instead of imposing more and more fines (fear approach), introduce positive reinforcement, maybe by reducing annual compliance fees as a reward for compliant merchants. Each portfolio is different; but with careful thinking about merchant motivation, you may find innovative ways to motivate your merchants.

Some acquirers successfully layer benefits in with a merchant’s overall PCI compliance strategy. For example, you could promise eligibility for protection from fines and fees with a card data breach protection program once a merchant is compliant. Breach protection programs can cover all merchant costs relating to a card data compromise up to a financial limit. This also helps create goodwill and appeals to the safety/pain avoidance motivation.

PCI DSS 3.2Fear of failure/consequences
Nothing makes humans more uncomfortable than fear. We hate missing opportunities, being punished, or not being accepted. I recommend using fear as a last resort when encouraging merchant compliance.

Sometimes just the threat of a noncompliance fee will jumpstart portfolio compliance, but you’ll always encounter merchants who won’t care, or who remain ignorant. The good news is all merchants have breaking points. You might consider implementing a regular schedule that increases noncompliance fees on some interval for stubborn merchants. Eventually, they’ll do what is necessary to stop receiving those fines.

Understand that the fear methodology may result in more attrition than other methods, but it’s definitely effective for getting merchants PCI compliant. It will also reduce the risk of card data breaches in your portfolio.

SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Getting your merchants compliant

No two portfolios are the same, which means you should micro-test these theories and suggestions to see what motivates your particular portfolio. No matter which method you choose to motivate your merchants, don’t forget the power of education. If merchants simply understood the power of true data security and the reasons behind the PCI DSS, they might feel differently about spending time implementing it.

It’s time to take an active role in your L4 merchant compliance, especially now that their compliance directly affects your relationship with Visa. I am hopeful these changes will finally help small merchants get on track with data security who otherwise may be unknowingly compromised, suffering life-changing consequences.

Need help in getting your merchants compliant? Talk to us! 

David Meyers is the Senior Director of Business Development at SecurityMetrics, with a 15-year background in finance and business planning. He is responsible for business strategy, international expansion, and maintaining SecurityMetrics’ strategic alliances. David graduated from Brigham Young University’s Marriott School of Management with a BA in Business Management, and has a passion for sharing his expertise to encourage other professionals to maximize their business security success.

SecurityMetrics Guide to PCI DSS Compliance