2020-07-08 21:43Blog post

The New “Scalpel Approach” to Merchant Security and Compliance

By Matt Loos, EVP Business Development

There is a fine line being walked in the merchant acquiring and payments space. As both the primary players and the smaller providers know, merchants’ security threat landscape continues to shift and expand at a rapid pace. Guiding merchants down the path of implementing security protocols to protect the merchant, and mitigating breach risk for the processor, can be challenging.

The core challenge is that merchants within an acquirer’s portfolio can be exceptionally diverse, not only in terms of their payment processing methods, but also in their internal ability to successfully secure payments and their overall business. Second, small and medium-sized businesses view implementing security as a daunting task that is easily overlooked due to lack of education and knowledge of the risk factors. Because of this lack of education, in their mind it is easier to stick with status quo than to take action.

How Strategy is Adapting to the Changing Threat Landscape

This year we’ve seen a notable uptick in our merchant acquiring partners leveraging ControlScan to bring security technologies into their merchant compliance programs. This essentially marries the concepts of security and compliance. However, they are not approaching every merchant in the same way; they are instead taking what we call a “scalpel approach.”

The scalpel approach involves examining processing environments, integrated technology, size, and vertical focus in a way that groups merchants into needs-based buckets. Once this is accomplished it is possible to position each merchant to mitigate threats according to their specific environments. Carving out pieces of a portfolio allows the acquirer and ControlScan to narrow the focus and create bundled security solutions that apply to the various merchant environments. This segmentation ensures that the right security products are introduced to the right merchant at the right price point.

Giving Merchants the Solutions They Need

In ControlScan’s most recent survey of SMB merchants, we noted a trend toward the widespread acceptance of merchant service providers’ integrated security offerings. The most significant areas of adoption are anti-malware/anti-virus and network firewall.

Those aren’t the only solutions being adopted, however. In the last several months we’ve had many conversations with partners seeing increased interest in endpoint security solutions that combine traditional anti-malware/anti-virus with more advanced protections, as well as managed threat detection and response services that take the pressure of this important security activity off merchants.

Each of these solutions are easily deployable via agent or hardware on premise. It is critical that small and medium-sized businesses receive security software and hardware that are plug and play. That means automated setup and remote management of the settings and overall performance of each protocol by ControlScan specialists who have “eyes on glass.”

What This Looks Like in the Real World

Chesapeake Payment Systems is an excellent example of the scalpel approach in action. Chesapeake implemented this approach to achieve a mid-90’s portfolio compliance rate, segmenting its merchants based on risk levels and offering easy-to-implement managed security solutions to those at a higher risk. This success story outlines how Chesapeake and ControlScan partnered not only to get their merchants compliant, but to also get them over the perimeter security hurdle with an expertly implemented UTM firewall solution.

 



About ControlScan

ControlScan managed security and compliance solutions help secure IT networks and protect payment card data. Thousands of businesses throughout the U.S. and Canada partner with us for easy, cost-effective access to the expertise, technologies and services that keep cyber criminals and data thieves at bay. With highly credentialed cybersecurity and compliance experts; 24x7 managed detection and response; managed UTM firewall services; ASV vulnerability scanning; security penetration testing; PCI compliance programs and validation services; QSA and HIPAA assessments; and more, we’ve got your back.