Listen to learn how ISOs can help their merchants and tips for managing a PCI program.
SecurityMetrics Director of Customer Success Scott Robinson and SecurityMetrics Director of Business Development Robbi Watson sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss all things ISO.
Listen to Learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Very excited about this topic today because it's about a part of PCI that I'm not as familiar with.
So this is going to be a learning opportunity for me as well as for you. It's going to be kind of all things ISO. We'll get into what that means in just a minute. First of all, I would like to introduce my guests to you.
I have with me Robbie Watson, director of business development at SecurityMetrics. Robbie is the head of channel partnerships at SecurityMetrics, working with product owners, operations, IT, and risk teams to create custom security programs that improve overall admin and client side user experience, reduce attrition, reduce risk exposure, and contribute to increased revenues. Thank you for joining me today, Robbie.
Thanks for having me, John.
Makes you sound pretty fancy. Do you like that?
Very fancy. Yeah.
Yeah. You're you're welcome.
Our next guest is also from SecurityMetrics. Scott Robinson is our director of customer success here at SecurityMetrics, and he's been with the company for fourteen years. I tried to get you a bio, but Scott is a man of mystery.
Trying to keep all that stuff silent and quiet.
Just copy paste my bio.
Oh, you guys do exactly the same thing?
He makes everything run.
Oh, okay. I just make everything work the way you'd want it to work.
Okay. In the ISO area?
In in ISO, in the bank partnerships, Anything that deals with a partnership and a PCI program, I'm there to make it happen.
Oh, excellent. So I promised people just a minute ago that we would explain what an ISO is. Who wants to take a crack at that?
Jim, do you wanna take a crack at that? I would like to take a crack at this.
ISO is, I think tell me if I'm wrong. Is it an independent sales organization?
You got it. Yes.
I got one right.
I'm so relieved. Alright. But what does that mean?
So it's just a payment processor. Right? So an ISO is above an acquirer. So you have the acquiring bank, and then you have the registered ISO. So think of them as, like, if you're if you're thinking real estate Mhmm. The acquirer would be the broker's office.
Okay.
And then the ISO would be, like, a realtor.
And then down below that, you'd have your individual sales agents. So they just allow a merchant to be able to process payments and credit cards.
Okay. So but are all processors ISOs, or is ISOs a specific type of processor?
Not all of them are. There's so many different ones. So there's the acquirer, or there's a sponsored bank, or there's a payment aggregator aggregator, or there's a payment facilitator, or there's also register ISOs.
Okay.
So there's lots of different flavors, but at the end of the day, they all kind of wrap up to allowing merchants to be able to accept and process payments.
Okay.
So and trying to make it as frictionless as possible for them to do so. And there's lots of new, kind of buzzwords and and new terminology, above ISO. Like, payment facilitators, new really popular ones coming out. But it's just the way that they're categorized and, aligned, but end of the day, just merchant processing payments.
Okay.
Everything's got Yeah.
It's great. Did a great job.
Well so I work with a lot of customers, but they tend to be level ones, level twos. That's the larger organizations with with more volume. And it's very rare for them to mention, ISO. They typically will talk about their acquiring banks.
What would what's the value to a merchant to having an ISO?
Hate to say that, but I don't know if there's any necessarily a value to having it. It's just how they got picked up and put into the process. Right? How they became you know, I took my business, and I needed somebody to process, and I just happened to pick this guy here. And then my business grew to the point where I became a level one or a level two merchant.
Okay.
So it's just luck of the draw.
Right? I think ISOs are heavily sales focused.
So, like, for an acquirer, the benefit to having an ISO is that you have tons of sales representatives going out and representing you so that the acquirer and and ISO gets residual on the transactions or swipes Okay. From the individual merchant. So perhaps the benefit to the merchant, I guess, would be if I'm an agent of an ISO, so a salesperson. Right?
And my representative is very, very hands on, helps me with everything. I can call them. They fix it right away. I think that may be the benefit of an ISO is down to the agent level Okay.
And making sure that sales representative is really on the ball versus, like, a Square, for example, or an app where you just swipe it. And if you need support, you have to call whomever. Go to their website. Right?
Oh, so it's a more personal kind of experience?
Much more personal touch.
Okay. So, let's say a merchant wants to take credit cards. They have a lot of options. Right?
So the ISO, what they try to do is go say, hey. Use our service. Go through us because we'll give you this more personalized approach we have. Do they offer them different options for for processing?
Or Most of the time, an ISO works with several different processors.
And so they have an an option to choose depending on which processor has what this merchant needs. Right?
Okay.
And so it gives them the ability to go it it's like walking into a a car dealership that has Ford and Toyota, and all of a sudden that guy's going, what are you looking for? Right. And let me find you this vehicle based off of your need.
And then, you know, show them all the different So they kind of have an expertise in understanding how different merchants might want to interact with their acquiring bank or or, the payment brands in some way.
That's it.
And then they can say, of these flavors.
Yeah. Yeah. It's custom. So, like, if I'm selling specific to, like, small mom and pop shops that just want a terminal to accept credit cards, right, versus maybe a restaurant that maybe needs some more middleware solutions that can do ordering and tracking and all these other fancy things, like, built into the the point of sale.
Okay.
So, yeah, there's quite a bit of options. And I think, again, it's heavily sales focused.
Okay. So we have these merchants, and ISOs are working with them.
Do do ISOs automatically get them plugged into the PCI process?
Is that part of what they offer, or is that an add on they That's a great one.
It it could be. Sometimes the ISOs are running the program, and all they simply have to do is report that merchant's compliance up to the processor.
In some cases, the ISO has no say. And it's whatever the processor's doing, they're doing it. And all I am doing is turning you over to them for that piece of it. Okay.
More and more and more, we find that ISOs wanna control that. They wanna control how it happens and what's going on. They wanna control the fees and the fines. They wanna make sure that their merchant isn't and as Robbie said, it's a sales thing.
I wanna protect my guy. Mhmm. Right? And so they're trying to do everything they can to protect that piece.
Okay.
And so but it all depends. It all depends on who that processor is and who they turn that merchant over to and how much control they're able to gain.
So some processors might say, hey. We have a PCI program for small businesses or, you know, whatever size. And and whoever you sign up has to follow this thing.
Yeah. It's mine or only mine.
Right? So yeah. That could happen often. Right? So if we have an agreement with an acquirer payment processor and that merchant wants to use someone else Mhmm. That payment processor may say, great. You can use whomever you want, but you're still gonna be billed for this SecurityMetrics solution as well.
Okay.
So at that point, the merchant's like, well, I don't wanna pay twice.
Yeah. Right?
So ISOs that do decide to opt out of whatever their payment process process solution is and go direct Mhmm.
They have a lot more options to make things customized.
Okay.
So all of the communications, the packaging, the pricing, the basically, the level of making it frictionless, I love that word, with with this, goes completely up here because it's customized to that specific ISO versus Okay. The agreement over here that that payment processor had signed with the the vendor.
Alright. It sounds like there are a lot of decisions that merchants need to make. Like, small businesses, I I have a special place in my heart for small and medium businesses because it's so hard to navigate all of the regulations and standards and, you know, these these things that that you have to have in place to be a merchant. And it seems like PCI has a level of complexity to it that's even higher.
Right.
So so when you're working with with, small, medium businesses, is it do you think it's better for them to have an ISO to help with that?
Not necessarily. I just think they're looking for that personal touch.
And and when you look at the two, it's like Ravi said, sometimes the big guys aren't as personal Mhmm.
As a sales office. And so I think it's a it's a toss-up either way.
Yeah. And most merchants, they just wanna get back to their business. Right?
Yep. That's what they wanted. They wanna run the business, not do a PCI program.
Exactly. So I try to put myself in their shoes, and I'm thinking that would be the last thing I'd wanna do is anything related to compliance or security. I want it to be done as fast as possible. Mhmm. So there's ISOs out there that have, certain payment applications or whatever it may be to streamline the user experience for the merchant Mhmm. And maybe make a lot of those PCI requirements not applicable or be able to prepopulate them. And those are the ones to go to for sure.
And the reality is is education on on both sides of that, either the processor side or the ISO side, makes all the difference in the world. You educate a merchant, they'll take your hand, they'll walk the path. Right?
Unfortunately, we're not great at it. Right? We see they're they think they are. Oh, I've put it out on a newsletter, and I've stuck it on my website. And I mentioned it, and I give them a feed to to spur them to do something.
Right.
But they may not be educating enough. And that's where we come in because we try to educate the merchant as we go.
Oh, okay.
Our consultants are usually trying to explain what PCI is, give them an understanding, point them to places to find more information if they need to. Right?
Okay.
And the more we can educate the merchant, the less feedback of negative feedback that you get from a merchant.
Right.
And so we try to do that with all all of our tools between the sales and the support team on our side, our fast passes. It's all about education.
Mhmm.
And you can never educate enough when it comes to this one piece because merchants have their wares that they're trying to sell, and that's what they're trying to do.
PCI is a stumbling block in the middle of all that.
Yeah. Yeah. It's it's definitely not easy. And, what I've seen it with every customer is that if they just take a little bit of time to to seek out education, then everything flows better. But if you're, like, kind of fighting it all the way, I I'm not the person to fight against for PCI.
Right.
So I could tell you what you need to do, but I I did not create this standard.
Right.
I just help you live by it.
So and and on that topic, sometimes I'll get talk to actual ISOs who want to become PCI compliant, which is an interesting slice because how do ISOs figure out what assessment they need as opposed to the merchants that they serve? Do you ever run into that, ISOs? Yeah. PCI compliance?
Fairly often, actually. So ISOs, depending on kinda where they're at, they come to us for guidance and go out on their own on Google or wherever to kinda find the resources they need. But, as a service provider, they do need to have an assessment, and there's lots of different things along side that assessment within the data security standards.
There's the you already know all this, but the internal network scanning, the internal scanning listeners would probably like to hear all about it.
Yeah. Yeah. Yeah. The the penetration testing and everything else to make sure that their back end for where their merchants are gonna be accepting credit cards is secure. Because a merchant cannot actually truthfully become compliant if that ISO is not compliant.
Right. Because they're a service provider.
Yeah. Right.
Right a lot right in that payment chain. And I think you said something very key at the beginning of that, which is they're they need to become assessed as a service provider. Mhmm. So a lot of of groups that I talked to and a couple of ISOs have been this, have thought that they weren't service providers. And so they weren't looking at how to assess properly.
But they because they would say, well, I only do all of my stuff online. So that means, of course, I'm an SAQA.
Everything's in the cloud.
Everything's in the cloud. Right. Well, okay. Well, the cloud is another way to have a platform.
But, but but, yes, if you're a service provider, you you you have to do a service provider, probably service provider rock Right.
At that point because and and maybe you look at it a different way. But I think, there are some small service providers that can fill out an SAQ d. Mhmm. Yes.
But I but I don't think that an ISO can ever count themselves as that.
Because when you're serving a lot of merchants who have volume, you can affect the security of a lot of other organizations.
You kinda gotta take it seriously and do the full report on compliance. Right.
It never hurts to to really cover it, right, to make sure you're secure.
You don't wanna have that backlash of, oh, I thought I was okay with this Yeah.
And I'm not. And I think even the DSP, and you can correct me if I'm wrong here, but, they kinda have to get the okay to do the DSP.
Right? If they if they if their processor says Inquiring Bank says If Inquiring Bank says you have to do an audit, you have to do an audit.
If they say no, you can do a DSP Then they have to have approval by their They have to get that approval.
Yeah.
And it can cash the ISO on a hotspot too if the merchant says, well, where's your attestation of compliance? And you're you're you're rock. Right? Yeah. And if they don't have it, then it can be really difficult for them because then the merchant can't truthfully get compliant. Right?
Right. As long as the merchant, really understands what they're supposed to be looking at. And a lot of them do. A lot of them get enough self education that even the smallest of merchants know I have to have a service provider attestation of compliance.
Right.
So, yeah. And so that that gets awkward if if they don't have that.
We ran into that a few times for sure. And and, did they did you get them plugged in in on their Oh, they got plugged in.
Yeah. They got plugged in good.
This episode is brought to you by the SecurityMetrics twenty twenty two guide to PCI compliance. I personally help with this guide and can highly recommend it to anyone going through PCI compliance. It goes through what the the requirements are and then tells you in the real world what they mean, how to meet them, recommendations from, auditors. So, it's a great resources to get the fundamentals of PCI compliance.
You can get it on our website, www.securitymetrics.com. So are there do you find that some ISOs are more supportive of their customers' PCI than others? Do they do they have programs that helps educate them, or are they really relying on, on you to help fill in the blanks on education? What's that what's that is interaction look like?
It's one of those things that you see this this piece comes up all times you discuss with them. Right? Yeah. Most of the time, the the idea of any program is I wanna make this as simple as I can for my merchant to get them through the process as quickly as possible.
Unfortunately, sometimes it becomes a checkbox exercise.
Mhmm.
Sometimes it's truly about education, and we see the whole gamut. We've seen the ones that say, let's just checkbox this baby and get through it. And then we see the ones that go, hey. You know, education's really big. How can we educate? And can you know, as SecurityMetrics, we we provide all kinds of podcasts and white papers and and pieces that we've done from our marketing team, and we tell them, hey. Come use this.
Mhmm.
Educate your merchant. And then we look for ways to educate.
We have a ton of free. Oh. Oh, yeah. I mean, have you looked at the SecurityMetrics Academy recently?
Right.
Yeah. There there's so much free information, and it really is focused on some of these merchant levels.
The things that I was kind of wondering about that is sometimes I'll talk to an ISO that is really not well educated in PCI, and then it seems to make it harder on their merchants.
Definitely. Definitely. Matter of fact, we had one ISO that they'd signed up, and they we sat down for the first implementation meeting. We're talking with them about, you know, how things rolled and what things oh, well, we know everything about PCI, and he said, great.
Great. When it comes down to the SAQs, is there you know, how do do you wanna prefill in it? What's an SAQ? Oh, no.
Wait a minute. That is not what you just told us.
Yeah. And so we've we've seen both. And and and, typically, my team, we're looking to be that education if we can be that education. Right. We're gonna try to give them the best advice.
Again, we're not the police.
Mhmm.
We're here to help guide you through the same process. Right?
Mhmm.
And so we're we're willing to tell you how it should be done. Mhmm. You have flexibility to do it a a bit in the way you wanna do it, but we're always gonna raise our hand and say, you may wanna rethink this piece, and this is why. Mhmm.
Because we we want you to get a good program going. We want everything to go smoothly. We don't want you to lose your merchants. We don't want you to have breaches all over the place so that all of a sudden you're not trusted because that affects you.
Mhmm. And as your partner, we want you to shine. Right. That's what we're trying to do.
So, one of the things that I that I've noticed about, small merchants is that we we kind of get one or the other. And you kinda mentioned both of them. We've got the checkbox ones who just wanna get PCI behind them. They don't understand the security value, of going through the compliance program. And then there's others who who, who look at it as, hey. We can really improve our security stance if we take this seriously. But the ones who are kind of check boxing it, sometimes we'll get, self assessment questionnaires that, like you said, they're just filled out and nobody carefully thought through things.
Mhmm.
And and I think that, especially as we were just talking about with ISOs, making sure that they have a cell, excuse me, an attestation of compliance that is clearly filled out and they've been assessed.
At least going through the process, they They're starting it.
Right? Right? They they gain the knowledge to know, hey. This is a big deal. We can help our merchants a little bit better because we we've been through it as well.
Right. And, unfortunately, because of the the atmosphere that this is under, you'll get the sales rep who doesn't quite understand it.
Yeah.
And so to them, it's a real big hassle. Right? This merchant's calling me complaining. Yeah. You've gotta turn this thing off. And they're kind of trying to be the tail that wags the dog.
Oh, no.
And and so you will see that in some cases, and it's always hard because they don't have a grasp of understanding. And that's where we're willing to teach, the entire banks and and ISO's employees. Let's let's give you the education so that you can say, oh, yeah. You have to do PCI.
This is what it's for. We're partnered with this person because they know it, and they're there to help you. Right? And then nobody gives the bad answer, which we hear about every once in a while.
I think we just don't wanna disrupt their current flow. So Right. PCI is there, but we wanted to make it in some way, shape, or form, make it seem like it's not there. So it's there, but we make it so easy and simple that it's not there.
And there's other great vendors out there that probably do the same, but So seamless to their business process.
That stuff.
No. Yeah.
I don't know if we can say that on this. But yeah. Just trying to introduce it so it's as easy as possible and not something that they have to flip their entire business upside down to do.
Okay.
So, as you as you talk to ISOs, and maybe some of their merchants, what are their top PCI concerns?
What's, what do they come up with?
There's there's a lot of different groups within an organization. So, you have finance.
Mhmm.
Their concern is typically revenue. Right? You have risk and compliance. Their, concern is, hey. We wanna get our merchants compliant.
Mhmm.
And then we have product. We want the best user experience possible. Mhmm. So all three of those can actually kind of clash because there's different goals.
Right? Right. So, for example, some ISOs charge, an abundant noncompliance fee. Mhmm. And, they rely heavily on that revenue that's generated from noncompliance fee.
Oh. So sometimes it's a a battle for risk and compliance teams. I don't do my hand gestures.
Battle for risk and compliance teams because the more compliant a portfolio gets, the less noncompliance fee revenue that they get. So finance is wondering where that revenue is coming in.
That seems like a weird way to incentivize your company to not help people.
It's kind of an uphill battle.
They get really messy. Yeah.
That sounds it.
Right? But you need some sort of a stick sometimes to get them moving. It's figuring out, can we carrot this thing, or do we have to stick it? Mhmm. You know, which are the two ways are we gonna go?
And and there's lots of creative people out there.
They've come up with very creative ideas of Right.
Trying to dangle the carrot rather than use the stick. And but sometimes, a stick is all that moves something. Yeah. You know, and you just gotta kinda use it.
I don't think there's one right answer. Right? There's so many different options that people can do.
Mhmm.
But I think when when we try to talk to people, it's just let's try to combine everyone's goal together and see how we can make it work. Right? So product is their frictionless experience. Finance gets the kind of pricing that they need and the revenues that they need.
And risk and compliance gets the compliance numbers they need. So, I mean, it's obviously easier said than done. Right. But, trying to hit everyone's goals is, I think, really important rather than just doing the one person you're talking to.
Because then, in the end, finance could get upset because you're hitting way too high compliance.
So you're talking to the you're talking to sales guy. You're talking to the risk guy, and then suddenly the finance guy is saying, you didn't even think at all about what I needed in my group. With this customized approach to everything, it almost feels like you know when you go to, like, Applebee's and their menu is so long, you don't even know where to start? I don't know what I wanna eat because there's so many options.
That's why they they have the mixed drink platter so you can have one each.
Oh, is that what that's for?
One of each beer that you want to.
So but how do you help when people come to you and say, hey. I just don't know where to start?
Typically, they they've got some idea. Right?
And so they'll come and and and as we have the conversation, Robbie's already spoken with them and I said we can do everything.
Here's Scott. Yeah.
Figure out what you want.
They've so he thoroughly confused them, and you take them away.
Robbie does a great job of understanding their understanding their need at that point.
So by the time they hit me, there might be a few questions, but but, typically, we understand what He's pared down and given them a a direction to go in and then And sometimes it changes.
Right? Sometimes it'll change. They'll come in and they'll say, well, we really were thinking about doing this, but can we do this instead?
Okay.
Sure. We can do that. Right? We're we're here to help you make this program be successful. We want you to shine. We want your company to shine.
So that's what we're trying to do.
A customization for ISOs. Right? Where they can Right. Either go with what is generalized for everybody or kinda pick and choose literally everything, shake and bake it the way they want to. Right?
So In my office, I've got a bunch of boards, a bunch of maps on on pegboard, and they're full of pins.
Right? I got pins all over the place. And when people come in new, especially consultants, I always tell them, all of these pins represent a different company and a different PCI program, and not a one of them are the same.
You know, make sure you're looking at the instructions in the red box to know how to handle that merchant and what to do and how to do it.
So you're like the beautiful mind of the ISO world.
I haven't tied strings yet, but kind of.
Alright. Well, this has actually helped me understand a lot of what you do and what the ISO world is. Before we close, PCI DSS four point o is coming up. And and probably everybody out there just cringed because we're all saying, oh, man. You know, something else changing.
But there's not a lot changes for some people, but a lot changes for other people. And and in terms of ISOs, what are they what do they need to care about? What do they need to be aware of today in order to prepare for that four point o kind of boogeyman?
So I I think it's probably a two part question. So the first part, you obviously wanna make sure that you're partnered with a solution that is prepared to administer four point o. Right?
Right.
So whomever that is, so long as they can get your merchants evaluated with the correct data security standards for four dot o. That's Sure. Probably the biggest thing.
And then, two is merchants oftentimes are gonna go from their current PCI DSS standards and then drop to to non compliant, because now they have to fill out the new four dot o. So finding a way to make that as easy as possible to transition up the the data security standards today to the four dot o standards Mhmm. Is gonna be a pretty big deal. As far as the insights of four dot o, I'm gonna give that to the man in mystery over here, Scott.
No.
The hardest thing probably the biggest change that we've got is is the SAQA merchant, the merchant that is Yes.
Ecommerce totally outsourced.
All this time, that was kind of the magic place to go. Yeah. Right? Oh, I'm SAQA. It's all outsourced, and all I have to do is the small SAQ, no scan.
True. Love it. That's gonna change.
Right.
It's going to change.
And and we would know that the scan is where the security is Mhmm.
For them. And so for us, it's it's, yeah, it's gonna become harder for that merchant, but not really that much harder. Most scans run and pass without any problems.
You will have people that will call up and say, hey. How come I pass this scan three months ago? I didn't change anything, but I'm failing now.
Because the bad guys changed.
Right. And that's the key. Right?
It's the the bad guys. They're they're they figured out how to get in there. Mhmm. And that database can change like that, and it's gonna affect the next scan.
Yeah. And it's not anything you did per se. It's just they figured out how to get around what's in place today. Exactly.
And that becomes a harder a harder That's a really key thing to help people understand.
Right. I like that. And and then, you know, there's a lot of people out there saying, but I but I don't even maintain my own server.
Okay.
Right.
Right. Well, that means you don't have to supply the scan, but, whatever service provider that you have that is maintaining your server with your website on it that hosts the iframe that drops in and some people don't know any of these words and some people are saying, oh, that's me.
Yeah. Right.
So There's a lot of those.
Yeah. I tried until I tried to tell people, hey. If you're an SAQA and someone else is, hosting and maintaining that server that your website is on, you need to not only make sure that they are, that they are giving you an SAQ service provider level because that includes the scans, but also that they're aware of these coming changes and that, that they're on top of those things for you. Service, provider management is really key to merchants.
Even when when you offload anything, knowing that they're giving you good, information and they're they're taking care of you well is really important. So I I'll often tell people, hey. If you have service providers and they're filling out their own SAQD, it's a self signed, nobody else looked at it, you better have in your risk assessment, your company's annual risk assessment that you've chosen to work with someone that self assesses and doesn't have somebody double check their work. Because these self assessed service providers are are potentially the ones sometimes they're great, but potentially, they're the ones that are just check processing it, and then they're gonna lose your information.
Yeah. Right.
And then you're gonna have to explain a breach when you didn't have any control over it except in the choices you made of service provider.
Right. Right. No. And it it's it's hard because you you will get we have partners that'll call up and go, hey. This merchant is an SAQD, and they got compliant in thirty five minutes. How how did that happen? You know?
They're really good.
Fire. They are Right.
Right. And and, you know, merchants talk to other merchants.
Yes. Merchants talk to their sales reps. Sales reps will say, all you gotta do is say yes, and you're done. Right?
Which is a horrible thing to hear.
It is. It's not good. It's not healthy.
It's great.
It's nice and quick.
So It's quick is not always best.
Right. It's pretty easy.
So you have to worry about that kind of thing going on.
You really hope that they take it seriously. The self assessment questionnaire. I wish they would have named it the self audit because the word audit sounds important.
Do you know when people are not taking me seriously, I call myself an auditor. And you're right. That's the reason I do it. Right.
Because people's mindsets are different. PCI is an assessment because we together look at the requirements. We together look at the evidence and decide. And we all find out at the same time if something's a gap or not.
Right.
You know? So it's a more collaborative approach than typically audits are, but, I'm I'm guilty of using the audit word on occasion.
Well, and you hope you hope the merchant never falls into that. Oh, no. I've I'm I've gotta close my business down. You know, heaven forbid, we we want anybody to go through that because it affects their family and it affects their children and it affects everything. Right? We don't want that to happen.
No. We don't want that worst case scenario.
But sometimes, IT people don't get that. Mhmm. Right? Yeah. I we've had merchants before call and say, well, I went to my IT guy to make him fix this piece, and he says it's not broken.
And I say, you know, when I take my car into a a brake place and I got this squeak and I can hear it, and they tell me, oh, no. There's not a squeak there. I go to a different brake guy. You know?
There's a lot of options out there.
Get second opinions. Find the people that are gonna help you and get that help because there's definitely some kind of a problem.
I think it's worth it for the merchants. It's worth it for the ISOs to help their merchants.
It's it's a it's a vast ecosphere of of interactions in the payment world. So I really appreciate both of you coming on. And Yeah.
Thanks so much.
I hope I helped that you Oh, absolutely.
Thank you so much.
Thanks, Eugene.
Hope to talk to guys again.
Yeah.
Thanks, man. Thanks. Anytime.
Thanks for joining us again here at the SecurityMetrics podcast. I really enjoyed our topic today, and I hope you did too. If you found this of value, please share it with your friends. Share it with your colleagues.
We would love to spread the word on PCI, especially among some of the the smaller businesses. Take care and talk to you next time. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left.
If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
