Many companies have recently learned some very hard lessons about relying upon technology alone to mitigate risk to sensitive data. For several years vendors have promoted the message that "scanning is security" to the Payments Industry. The latest publicized breach of a well known eCommerce merchant with a prominent vendor seal is further evidence of the futility of relying upon such an approach. Technology alone is not the answer.
Consider the average person. If an average person is given a Formula 1 car they will certainly be able to drive fast but it will not allow them to race competitively in Formula 1. To be successful, they need both equipment and training. More often than not, placing an untrained person in a Formula 1 car will likely end in crashing the vehicle.
The security issues facing companies that support payment card transactions are numerous and complex. Attempting to prevent breaches of security and the resulting data compromises with technology alone is similar to trying to race in a Grand Prix with a fast car and no training. Visa has recognized this issue and since 2007 has required that Acquirers begin educating their merchant populations.
In May of 2007, Visa USA released a Business Review (VBR) #070508 that mandates Acquirers to both classify their merchants by risk level and to educate their level 4 merchants on several topics. Below is some of the relevant language that is included in the VBR:
"Acquirers that do not provide their plans by this deadline may be subject to the imposition of risk controls. The Level 4 merchant compliance plan must include:
1) a timeline of critical events; 2) a risk-profiling strategy; 3) a merchant education strategy; 4) a compliance strategy; and 5) compliance reporting."
Merchant Education Strategy
"Describe plans to educate Level 4 merchants about cardholder data security, storage of prohibited cardholder data and PCI DSS compliance. Include the planned communication channels and approximate frequency."
While it would be overreaching to purport to speak on behalf of Visa Inc., the language included in the VBR clearly indicates the intent of the document. Within the VBR, Visa includes the following statements:
"Describe plans to educate Level 4 merchants about cardholder data security, storage of prohibited cardholder data and PCI DSS compliance."
"Summarize plans to monitor progress of program execution."
It is clear from the intentional use of the term educate within the document, that Visa intends for the acquirers to engage in more than simple information sharing through website content or emails. The VBR requires the education of Level 4 merchants along with a process to evaluate and monitor the efficacy of the program.
Wikipedia defines education as a complex application of pedagogy, a body of theoretical and applied research that draws from many disciplines including psychology, neuroscience, computer science, and sociology. Educators spend years sorting through volumes of research, learning to apply theory in a way that translates into tangible results. According to Driscoll, the process of developing education requires attention to complex components that influence the learning experience. These include the learner, desired learning outcomes and conditions, instructional methods, and context. Materials developed without expertise in these areas cannot be expected to truly educate learners. While many companies proposed to understand education, few can truly lay claim to such expertise.
Key to the development of a plan to truly educate learners is the concept of learner support. Learners have a challenging task in understanding and applying the complexities of data privacy and security in the payment card industry.
To illustrate, consider the difficulties learners may encounter attempting to learn physics. The concepts are complex and interdependent with layers upon layers of variables. How would the educational experience compare if the learners were to use a library as compared to attending a university? A library has all of the necessary facts and information contained within the books housed on its shelves. It would seem a simple thing to send the learners off to the library to learn all they need to know. This is analogous to sending merchants to websites with complex compliance requirements.
The challenges for the learner begin at the door to the library. There is the initial problem of finding the right section, the right books. Once that hurdle is overcome, it's incredibly difficult to know where to start. The sequencing of educational materials is a crucial component to the learner's ability to absorb new and complex information. And finally, without the guidance of an instructor, collaborative engagement around the learning materials, and opportunities to practice and reflect, the learner's ability to absorb and retain the new information is limited. Well-designed instruction promotes considerably higher levels of reflection and engagement with materials than is feasible without guided instruction. The university setting brings novices together with experts, allows for collaborative discourse and guided educational experiences.
In a similar vein many merchants face a number of obstacles regarding their ability to quickly absorb complex information related to regulatory compliance and information security. Distractions, lack of contextual understanding, and lack of time are substantial barriers to understanding dense, static materials that could be posted online in a manner similar to a library. Providing merchants with expertly designed, interactive, and engaging educational experiences dramatically increases the likelihood of retention. Simply providing information is not the same as providing education.
VBR #070508 lays a hefty responsibility on the shoulders of acquirers. The potential cost of providing education for all Level 4 merchants could be prohibitive. This cost comes at a time when budgets are slim and resources in short supply. Acquirers are now challenged to develop plans to legitimately educate these merchants in a manner that does not strain existing resources.
Customizable learning solutions developed by industry experts can provide acquirers with a viable solution. A variety of delivery methods allow acquirers flexibility as acquirers work to develop an executable plan for educating Level 4 merchants. Well-designed Web Based or face-to-face training, coupled with participation in online communities can effectively educate merchants without placing undue strain on acquirer resources.
Web Based Training, or e-Learning as it is commonly called, is one delivery mechanism that can scale broadly to numberless merchants, providing valuable guided instruction in a cost-effective manner. Typically economies of scale can be leveraged to keep the per-user costs low, students can take the courses on their own schedule and at their own pace, and message consistency is assured as every student is presented the same content.
With Web Based Training, user interactions, completion rates, and answers can be easily tracked. This provides acquirers with the substantial benefit of defensibility. Consider for example a company that loses sensitive authentication data (CVV2) in a data compromise. Using a well designed web-based training it would be possible to track the user's activity and demonstrate definitively that the user did indeed answer a question related to the prohibition on storing sensitive authentication data.
If considering Web Based Training, it's paramount that the courses are developed by highly skilled instructional technologists and educators in collaboration with industry experts. Increases in computing power and software sophistication have allowed many amateurs to build e-learning studios in their basements and home offices. It is not the technology that provides the value to e-learning. The same characteristics that define a well designed classroom based course are needed for a well designed e-learning course. Simply providing information in a web-based format is not the same as educating through the use of e-learning technologies.
While certainly not as scalable, face-to-face training may work for certain groups. High risk merchants, living nearby the acquirer's home base may be well served by attending expert training. Face-to-face training has the added benefit of allowing learners to engage with one another as they grapple with complex concepts. It is incredibly important, however, that the training be presented by experts in the field. As with e-learning, in order to be effective, the training sessions and materials should be designed by industry experts in collaboration with highly skilled educators.
Regardless of the delivery mode, if learners are to retain and transfer their new knowledge, it's important that they have opportunities to engage with other learners. Participation in online communities such as the PCI Answers forum or other online communities is a key follow-up strategy.
The intent behind VBR #070508 is clear. Acquirers must now take on the responsibility of educating Level 4 merchants regarding cardholder data security, storage of prohibited cardholder data and PCI DSS compliance. This weighty responsibility comes with considerable hurdles including scalability to potentially thousands of merchants, the challenge to provide instructionally sound, expertly developed materials, and the need for a cost-effective solution. The solution to overcome these challenges must include the delivery of cost-effective, instructionally sound and expertly validated learning materials. Web-Based Training may be the most viable solution for acquirers seeking to fulfill the requirement to educate their Level 4 merchants.