Protect Mobile: Increasing conversion rate by 40% by mobilising key milestones in PCI DSS compliance journey.

Mobile UX * Product Design Lead * UX Research


Enhance PCI DSS compliance processes to address challenges stemming from infrequent engagement, perceived burden, forgetfulness, and operational inefficiencies. Specifically, optimise the compliance journey for merchants handling card payments by leveraging technology to streamline vulnerability scans and reduce operational costs associated with compliance verification.


PCI DSS compliance poses unique challenges due to its quarterly and annual engagement requirements, contrasting with systems encouraging continuous user interaction. Often seen as a burdensome task, especially delegated by financial organisations to merchants, users typically engage with compliance processes only 4-5 times a year, leading to forgetfulness regarding procedures. For most merchants handling card payments, compliance involves quarterly vulnerability scans of external IP addresses. In Viking Cloud's Proactive Data Security Programme, support agents may need to make up to 9 phone calls to ensure compliance, even if no PCI-related vulnerabilities are found, resulting in significant operational expenses.

User journey & empathy mapping, storyboards and wireframe flows.
Analysis of key touch points and opportunities



Infrequent engagement

PCI DSS compliance requires merchants to engage with the process quarterly or annually, leading to low user interaction compared to systems with continuous engagement models.


Perception of burden

Many merchants perceive PCI DSS compliance as a burdensome task imposed by financial institutions, resulting in low motivation and compliance fatigue. Having to log into web portal to perform non-frequent but reoccurring actions can often be dropped.


Forgetfulness and complexity

Due to the sporadic nature of engagement, users often forget procedures and requirements, increasing the risk of non-compliance.


Operational inefficiencies

In the context of Viking Cloud's Proactive Data Security Programme, support agents face challenges in ensuring compliance, including the need for multiple phone calls(up to 9 calls) to obtain verbal attestation, regardless of the presence of vulnerabilities. This manual process results in high operational costs and inefficiencies.

User journey & empathy mapping, storyboards and wireframe flows.
User journey & empathy mapping, storyboards and wireframe flows.



Task analysis

We began our research by taking a close look at the task necessary to be completed by the user with regard of the Vulnerability Scanning and Attestation as they happened today on the portal. Identified key milestones and looked for opportunities where it would be possible to extract key interactions from the web portal into mobile.


Customer journey mapping

Identical to the overall compliance journey, Vulnerability Scanning requirements can look very different for each user depending on complexity their environment and security standards already implemented. We analysed each possible user journey and identified those that are more frequent, easier to complete and would work well with mobile form factor.


Key touch points id and analysis

We identified three critical milestones in the merchant journey that had the highest impact on call center operation time and were simple actions achievable on a mobile device in under a minute: 1) Scan setup and scope completion: completed on the web portal. 2) Scan result monitoring and special notes completion. 3) Scan result attestation and expiry date tracking for compliance.

High-fidelity prototype for user testing
High-fidelity prototype for user testing
Old VS New UI. Components design of material UI have been updated as part of this release also.
Old VS New UI. Components design of material UI have been updated as part of this release also.

Solution development

Collaborating with the mobile engineering team and product owners for both the mobile and web portal, we devised workflows validated through user testing with our beta audience. We identified key points in the web portal journey, and strategically introduced the mobile app to demonstrate immediate value to users. For passing scans requiring only confirmation, we developed a simple one-click workflow on mobile, reducing support desk call times significantly.

For scans needing additional actions, such as filling out notes and identifying related hosts, we adapted the minimal web portal UI to mobile, enabling direct completion on the phone before attestation. For compliant users from the previous year with consistent scan results, we introduced a streamlined flow allowing confirmation of environment changes. If no changes occurred, users could one-click re-validate using last year's information.


Albeit waiting 12 month to analyse the impact was exhausting teeth clenching exercise - the results were astonishing. Mobile uptake saw a notable increase of nearly 20%, with significant benefits observed for mobile users. The quarterly scan journey was accelerated by up to 90% for mobile users, showcasing a substantial improvement in efficiency.

Moreover, the compliance conversion rate witnessed an impressive year-on-year increase of approximately 40%. Within the program, the number of annual phone calls decreased dramatically from an average of over 20 to just 7, indicating enhanced operational efficiency. Additionally, annual re-validation rates experienced a notable uptick of 12% compared to the previous year, reflecting improved adherence to compliance requirements.


conversion rate increase


acceleration in quarterly scan


uptake over 2 years


call reduction

Selection of final screens created by UI team. From account to attest view.
Selection of final screens created by UI team. From account to attest view.
Final passing scan review flow.
Final passing scan review flow.

I was Platform Design Lead @ VikingCloud

Leading internal and external design teams and overseeing UX.


For job offers & collaborations

Get in touch on LinkedIn

Drop me an email to

Anton Lebed © 2024