Three tips to help Independent Sales Organizations with PCI. 

John JB Bartholomew
Senior VP, Technology
Having worked on merchant security and compliance since 2003, I’ve noticed some common pitfalls and missed opportunities when positioning a PCI program. Here are three tips from my experience to help Independent Sales Organizations (ISOs) better position their PCI program:

1. Give your sales team a workable and attractive solution


Provide your sales team with the information, assistance, and training they need to win customers without avoiding PCI. It’s easier to provide your team with a competent and accessible PCI expert than to attempt to train each of them individually.
  • Example 1: Many ISO sales people have had personal friendships with members of our PCI engagement team. Their pitch to new customers was “Call my friend {insert name} at SecurityMetrics, he/she will take care of you!  He/She will explain everything and will get you into the PCI process faster and simpler than you could ever do it yourself! It typically takes less than 15 minutes. Then as you go through the SAQ or deal with scan results, SecurityMetrics has a 24x7 call center with friendly people to help you understand.”
This is an example of salespeople who are confident in dealing with PCI, because they had a workable and attractive sales solution. The customer’s good experience with the SecurityMetrics PCI expert reflected positively on the ISO sales person.
  • Example 2: I’m familiar with a regional bank, with about 4500 MIDs, whose unique selling approach included security. They designated an in-house specialist to regularly consult their merchants on these topics.
While this regional bank did not provide the least expensive payment solution, their customers received greater value for each dollar spent on payment processing. The value of expertise and seasoned industry advice on just three key topics saved these merchants thousands of dollars. And their sales approach—using “security” as a pillar of their solution—won them business.


2. Position PCI Compliance as a Strength


My second recommendation is that you add “keeping your merchants secure and compliant” as a business strength. By taking this approach in today’s insecure world—of working to keep your merchants safe and secure—you bolster your unique selling proposition.

Issues that contribute to making PCI a strength

  • Payment solutions that either reduce PCI risk/requirements (i.e. P2PE) or come packaged with additional components which minimize merchant efforts to minimize risk and easily comply (i.e. managed firewall/security services and more).       
  •  Readily available human assistance for your merchants as they tackle PCI (engagement and mid-process). 

  • Work with your PCI vendor such that their online PCI solution uses terminology matching your solutions. Every possible point at which your merchant is less likely to stumble during PCI is a benefit.


Since security can be a dynamic and time-sensitive issue, your additional focus on security allows you to repeatedly communicate with your merchants to remind them of the benefits they receive from you. Several PCI vendors provide timely, re-publishable content for your use with merchants.

3. Money for PCI


My precautionary advice about monetizing PCI assistance: take great care to make sure you provide defendable value if you’re charging for PCI assistance. We recommend you also allow your merchants to DIY PCI if they wish.

In the UK, where government oversight and the government’s “protectionism” has advanced further than the US, most Acquirers who provide PCI compliance assistance (for a fee) are careful to allow merchants the right to opt-out (or opt-in) to their PCI services. US regulators will likely eventually look to increase their “protectionism” efforts.  Your business will want a multi-year track record of a perceived fair-treatment of your merchants.

Can SecurityMetrics Help?


Streamlining Sales

SecurityMetrics’ sales staff love to partner with individual ISO and acquirer sales staff to provide the best PCI introduction to your merchants. If you are a sales person who’d like a friend in PCI to help your merchants, or if you’re an ISO who wants all your sales staff to have friends in PCI, please let us know.

SecurityMetrics provides PCI orientation and training to our acquirer and ISO partners’ sales teams and support staff on a regular basis. We do this onsite, via remote teleconferencing and with webinars. SecurityMetrics’ experience has proven that PCI-educated acquirer and ISO staff makes for smoother and more successful PCI programs.

PCI as a strength

SecurityMetrics has done many things to help ISOs and acquirers make PCI and data security a strength. Listed are just a few examples:

  • We certify P2PE solutions. We certified the first P2PE solution in the world! 

  • SecurityMetrics provides a variety of professional services related to security and compliance including: Onsite security audits (PCI, HIPAA, etc.), penetration testing (network layer, software layer), forensics (PFI, etc.), PA DSS audits, P2PE audits, and more. SecurityMetrics also develops security tools and products including: Vulnerability Assessment testing (ASV) [internal & external], Card discovery software, Privacy data discovery, managed firewall/security, and more. As such, SecurityMetrics has a great deal of security matter expertise!
  • We provide monthly educational content on security or current threat topics in the form of webinars, white papers, articles, etc.

  • We provide individualized security and PCI consulting for our partners’ staff. Historically, we’ve consulted a wide variety of staff from our acquirer/ISO partner organizations including but not limited to: sales, support, relationship managers, third-party certification, data compromise, level 1,2,3 merchant compliance managers, level 4 compliance managers, risk managers, executive team members, and more.

  • We provide partner/customer presentations. We’ve presented at a wide spectrum of industry-specific events in partnership with our acquirer/ISO partners. We’ve also presented at annual franchise meetings and annual large account retreats for acquirer partners.

  • We provide customer consultations. In one of our more memorable customer consultations, we saved the customer $1,000,000 by redirecting their compliance efforts to an acceptable and lower-cost alternative to fulfill certain compliance requirements.


Using SecurityMetrics PCI assistance for your merchants provides a value-packed benefit that would cost your merchants much more without your volume discount.

If you are interested in a PCI program or any of our PCI or data security solutions, contact us here.

JB is Senior VP of Technology at SecurityMetrics, and is responsible for growth through leadership, networking, and product innovation. He is a 30-year veteran in the high-tech industry, specializing in innovative software for IT and business. With a bachelor's degree in Computer Science from Brigham Young University, one of his first jobs was as a COBOL programmer at U.S. Steel. JB has held several senior management positions at companies including: Broadway & Seymour, WordPerfect, and Novell.