PCI Compliance: An Interview with Ryan Sherman from EVO B2B Group

Listen to the Interview:

Contact Information:

B2B@evopayments.com

(888) 564-9564

Links Mentioned in the Interview:

simplepcidss.com

Transcript:

Marty Hartman:
Welcome to the supplier spotlight interview. We are thrilled to have Ryan Sherman. He is the PCI expert at Evo B2B Group. And you may remember that we did a interview with Tom Lizzio a while back from Evo B2B Group. You might want to look that up if you’re interested in knowing more about credit card processing, but Ryan is going to be talking to us today about PCI compliance. Ryan, welcome to the interview.

Ryan Sherman:
Thank you for having me, Marty. I appreciate it. It’s an honor to be here.

Marty Hartman:
So PCI compliance, what is it and, well first, what does PCI stand for?

Ryan Sherman:
Good question. So PCI actually stands for payment card industry. What it is is it’s a security program that had started back in 2006 by the card brands. Basically it’s a collection of security standards that was put in place, of course, by the card brands, just wanting to make sure that merchants who are taking cardholder data are running that card data securely and safely.

Marty Hartman:
So in order for a business to be PCI compliant, what is it that they have to do?

Ryan Sherman:
So, there’s a couple of things, but it’s definitely not a one size fits all scenario. It’s always going to depend on how the merchant themselves are processing a credit card. So for instance, if you’re using a point of sale system inside of a virtual terminal, a physical terminal, things of that nature, all of those things are going to mesh into what the process for you is going to be. But in most cases, it’s going to be a self-assessment questionnaire.

Ryan Sherman:
What will happen is you’ll answer some business profile questions, like how are you processing credit cards, this and that. And then it will place you on a self assessment questionnaire. Not all of them are going to be the same, because again, it’s going to depend on how you’re processing. And then on top of that, at times, there’ll be a non-intrusive vulnerability scan. Now, I do want to speak to that for a second because I know a lot of people get a little flustered when I say scan of any sort. This is not a scan that necessarily bogs down your computer, doesn’t slow anything down, it simply is just scanning a front facing IP address. And what I’ve heard Tom say a couple of times, it’s essentially walking around house, making sure that all the doors and windows are locked, so.

Marty Hartman:
Right, exactly. So it’s basically the scan is looking for security vulnerabilities?

Ryan Sherman:
Exactly. That’s precisely what it’s looking for. Just making sure, again, your network is okay, there’s not any chance for anyone to breach your system, no one to hack into anything, things of that nature, so.

Marty Hartman:
So good. It sounds like it’s a good thing. It sounds scarier than it really is, but when you tell more about the details of what goes on … So, how does PCI compliance apply to our Universal Unilink members and small business owners in general? How does this help them?

Ryan Sherman:
So, and I get that question a lot, simply put is, and this is how the credit card brands kind of phrase it. If you are an entity that is accepting any type of cardholder data, then it would apply to your business. And that goes not only for merchants themselves, but this goes for banks, service providers, internet providers, you name it, they’re probably on the list to become PCI compliant, so.

Marty Hartman:
Right. So, we’ve all heard in the news about data breaches with some very large companies. I’m sure that that has huge ramifications for these companies when this happens. It’s awful not only for the business, but also for all of their customers.

Ryan Sherman:
Absolutely. Absolutely. Yeah. I mean, back in 2018, I mean, when it comes to, say, some of the damages that would occur for something like that. The card brands, I believe, were charging $148 per cardholder record, which of course is going to result in millions of dollars in damages. So this is kind of something, some steps to put in place. Yeah. Yeah. They take it very, very seriously. So these are steps that they kind of put in place to avoid something like that.

Marty Hartman:
Well, it makes sense that the credit card companies would want to have these security measures in place. So what are some of the common security mistakes that small business owners make?

Ryan Sherman:
Marty, I’ve heard a little bit of everything from a merchant keeping credit card numbers down on post-it notes, Excel sheets. There was one gentleman that I spoke to that had security bins, so he would put one half of a card number in one locked cabinet and another half of it in another cabinet. So yeah. Yeah.

Marty Hartman:
Wow.

Ryan Sherman:
Yeah. It’s been pretty extensive and entertaining, to say the least, but yeah, those are things all frowned upon by the card brands. Those aren’t safe.

Marty Hartman:
Wow. So people, they know there’s a risk, but they’re not necessarily taking great measures to help themselves, but they’re trying some very creative methods there.

Ryan Sherman:
Exactly. And we know that technology grows and expands and gets smarter every day and that hasn’t stopped the hackers at all. So there’s always got to be new standards put in place and everything’s got to be super secure to make sure that no one’s able to just easily hack into your system, at all. You want to give them the hardest time as possible.

Marty Hartman:
Exactly. Make their life more difficult. Absolutely. So, is there a cost to go through the process to become compliant?

Ryan Sherman:
That’s a good question. So to become compliant, there aren’t any additional costs at all. I mean, you would literally log into the portal, get registered, they’ll do the IP address scan information and do the self assessment questionnaire. None of that costs anything, not even to register. The only actual costs there is, is when you’re not compliant there is the monthly $24.95 fee, which doesn’t seem like a lot, but it gets pretty pesky after you keep on seeing it on your statements over and over again. Once you’re compliant though, those fees go away. So yeah, to answer your question accurately, there aren’t any fees that occur to become compliant at all, no.

Marty Hartman:
But there’s some savings if you do?

Ryan Sherman:
Oh, absolutely. Oh yeah.

Marty Hartman:
Very good. So aside from the fact that you’re going to protect yourself from data breaches, and you’re going to save some money too, from these fees, are there any other benefits to becoming PCI compliant?

Ryan Sherman:
So, I mean, of course you’re going to make sure that you’re abiding by the rules and regulations that the card brands have put in place. You’re going to be also lowering your transaction fees as well. So this doesn’t just count up against the $24.95 fee that I just spoke on, the more secure you run your transactions and the more information that you capture for that transaction, the less interchange rate appears up on your month end statement. So you can go anywhere from 2.95% to possibly 1.95% for a transaction. It just depends on how much information that you’re covering there.

Ryan Sherman:
And then everyone’s personal favorite, and mine as well, in the event that let’s say you’re already compliant and still someone manages to hack into your system, or there is a breach of some sort, the card brands offer up $100,000 dollars in breach coverage to cover your losses and damages. So, just that blanket right there helps out a lot.

Marty Hartman:
I mean, it sounds to me like the benefits are stacking up and not doing it as a huge, huge risk factor. So where would somebody go if they wanted to get the ball rolling on becoming compliant?

Ryan Sherman:
This is one of my favorite parts to ask me. I love it when people ask me this, because the portal that we just moved over to recently, everyone loves it so far, but it’s called a simplepcidss.com. So this is the portal that EVO just moved over to recently, I believe since October. It’s a lot more user-friendly. I mean, once you get registered on there, the dashboard’s not hard to find, a lot of your information is up top, so when you call in and someone’s asking you for your merchant ID number, a lot of times you have a business to run, you’re not going to always have that information handy, especially when you’re calling in to get help with that. But it shows up at the top of the page, as soon as you log in, so.

Ryan Sherman:
And everything just is right there. The questions are, I feel like, worded a lot more easier to understand because a lot of times you’ll get abbreviations like CDE and you may not know what that means. It’s card data environment, but they actually have, below the question, they’ll have the definition of that term, so.

Marty Hartman:
Right. So that makes it pretty user friendly once you go through the portal?

Ryan Sherman:
Absolutely. 100%.

Marty Hartman:
So we’re posting this podcast interview on our website, but just in case somebody’s listening on their phone or in their car, go ahead and say that URL again.

Ryan Sherman:
Sure, sure. That’s simplepcidss. That’s D as in David, S-S.com.

Marty Hartman:
Right. And if anybody has any questions, how do they get in touch with you, Ryan?

Ryan Sherman:
They can always contact EVO B2B at any time at (888) 564-9564.

Marty Hartman:
Fantastic. So –

Ryan Sherman:
And they can also, I apologize, I should have said the email address itself. Yeah. I’m sorry about that, Marty. Our email address is also B2B@evopayments.com as well.

Marty Hartman:
Okay, fantastic. So I hope our members take you up on this because it sounds like there’s really no downside to getting the ball rolling on making sure your business is PCI compliant. So anything else that you would like our listeners to know before we end the interview?

Ryan Sherman:
One thing that I would say there’s a lot of misconceptions around PCI. I know we kind of went over just the bird’s eye view of how it can help and benefit your business. But one of the things that I hear a lot of is it’s just too technical and it could be too costly, but it’s not as bad as you would think. Again, the process itself is going to depend on how you’re processing, but the process itself doesn’t even take that long, to be honest with you. So if you have any questions, feel free to give me a call, shoot us an email, let us know your thoughts on it and we can definitely look into making it easier. That’s our job, is to make it easy for you to get compliant, so.

Marty Hartman:
Well, I’ve talked with members who have switched over their payment processing to EVO, and they tell me that in addition to the savings, the thing they like best is that EVOmakes it so easy to transition to your service, but you do everything so seamlessly and make their jobs and their lives so much easier.

Ryan Sherman:
Absolutely. Yeah. I love hearing things like that. Because again, like I said earlier, you have an entire business to run and that requires all of your attention. So sometimes you need that extra backing, that extra layer, to help out a little bit, so.

Marty Hartman:
Well, Ryan, thank you so much for taking the time to do the interview and to inform our members and listeners and we hope that they give you a call.

Ryan Sherman:
Yes. I look forward to it. Marty, thank you very much for having me, sir. I appreciate it.