If you’ve ever had teenagers in your life, you know how challenging it can be to get even the most innocuous information from them: “How was your day?” “Fine.” “What did you do in school?” “I don’t remember.” It can be pretty frustrating. So you can understand how merchants feel when something as (supposedly) simple as getting an AOC or Responsibility Matrix from a PCI provider is often even more difficult than getting routine information from an adolescent.
AOCs and Responsibility Matrices – your not-so-secret weapons
The very definition of an AOC ( Attestation of Compliance ) makes it clear that the purpose of having an AOC is to act as proof that a provider has completed an SAQ or ROC and is PCI compliant. So it’s no surprise that merchants often wonder why it’s so difficult to obtain an AOC - a document that proves that you are PCI compliant. The same is true of Responsibility Matrices. The purpose of a Responsibility Matrix is to make it easy for merchants to figure out which compliance tasks will be handled by you, which will be handled by the merchant, and which will be shared between the two parties. A Responsibility Matrix simply removes friction and makes it easier for merchants to choose to do business with you. So why create needless friction in your sales cycle? AOCs and Responsibility Matrices are both tools for convincing prospective customers that you’re up to the task at hand. Making them hard to get is a lot like being a surgeon and hiding the degrees and certificates that prove you have the necessary education and training, rather than framing those documents and displaying them in your office. Many successful companies have based their business model on the simple fact that people who are pressed for time are going to choose partners who are easy to do business with. So why not provide AOCs and Responsibility Matrices to those who need them and use the lack of friction as a competitive advantage?
It should be noted that while we refer to AOCs and RMs in similar ways throughout this post, only an AOC is a document proving PCI Compliance, and can thus be defined as Third-Party Proof (3PP). A Responsibility Matrix is simply an aid to organize your compliance efforts.
Are you making things harder than they need to be?
Merchants are right: It shouldn’t be so hard. But for many providers, guarding AOCs and Responsibility Matrices has become a habit that has far outlived its usefulness (if it ever was useful to begin with). If you ask, you’re likely to hear the same tired excuses.
“Our AOC contains proprietary information.”
The PCI Council actually allows you redact proprietary information - so just take it out. Of course you don’t want to share sensitive information - but instead of restricting access to your entire AOC, view it as a sales document. Keep information that helps convince prospective customers of your qualifications and delete the rest.
“We want prospective customers to call our sales department so we can give them our pitch!”
That might have worked for serving enterprise customers, but serving the SMB market requires a different approach -- one that lowers costs and maintains margins while doing business at scale. Self-service and evaluation are exactly what you want to offer to reach SMB merchants. Enterprise customers will still insist on talking to you for more detail because they can afford to. But requiring prospective SMB customers to contact your sales department for an AOC or Responsibility Matrix adds time and costs to your sales cycle - both of which cut into your profit margin. It also forces prospective customers to do more work - which could be enough to keep you off the short list of providers they’re considering.
“We only share that information with clients who have signed a nondisclosure agreement.”
Signing nondisclosure agreements might be common practice for enterprises, but SMB merchants don’t want to start signing documents before they’ve even decided to do business with you -- especially if your competitors are making their AOCs and Responsibility Matrices publicly available. Imagine how limited the booming SaaS market would be if you had to sign a nondisclosure every time you signed up. Stripe, for example, has grown by leaps and bounds by eliminating obstacles to getting started with their offering. If you redact any proprietary information, there’s no reason to require prospective customers to sign a nondisclosure agreement just to see your AOC.
Are you making yourself easy to do business with?
Now let’s take a look at things from the perspective of SMB merchants who are just beginning their journey to PCI compliance. They don’t especially care that you’re still reliant on the processes you used with enterprise customers. In fact, they experience them as barriers to doing business -- barriers that take too much time and money to navigate. This is what SMB merchants do care about:
They want to outsource their PCI compliance.
But they’re not sure who they need to partner with or, sometimes, even what they need their partners to do. AOCs and Responsibility Matrices are a good starting point, and they go a long way toward making that evaluation and selection process simple and straightforward. Knowing they can access your AOC whenever they need to helps SMBs feel confident about their ability to achieve and sustain PCI compliance via outsourcing.
They want a partner who’s easy to work with.
Some companies are notoriously hard to deal with. Let them be your competition. While they’re trying to navigate all of the obstacles left over from working with enterprises, position yourself as the company that makes PCI easy for SMBs. That starts with making your AOCs and Responsibility Matrices easily accessible.
Merchants want PCI compliance to be easy. Shouldn’t you?
When it comes to growing your business with SMB merchants, the best thing you can do is remove friction and barriers. Along those lines, making your AOCs and Responsibility Matrices easily accessible accomplishes two goals at once. First, it streamlines your sales processes - thereby reducing your costs and increasing your margins. Second, it increases your competitiveness by making it easy for merchants to find and evaluate your solutions. We want it to be easy, too, and we’re here to help you overcome the obstacles to getting PCI done with your SMB prospects. By posting your AOCs and Responsibility Matrices, you remove one of the primary barriers to getting PCI done, together.