The Green Sheet Online Edition
April 27, 2009 • Issue 09:04:02
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve small merchants - defined as Level 4 by the Payment Card Industry (PCI) Data Security Standard (DSS). More than 6 million small merchants are doing business in North America; fewer than 5 percent have attested to compliance with the PCI DSS.
These are potentially costly statistics for acquirers, who ultimately shoulder the monetary burden should their merchants experience breaches.
Beyond their abundance, Level 4 merchants carry unique challenges. Acquirers can reduce their overall risk and dramatically improve compliance rates among these merchants by overcoming four often-overlooked pitfalls when designing their PCI compliance programs.
Challenge 1: Little awareness of security
Small merchants are focused on making ends meet. They have little awareness of - or time to focus on - security best practices. The few who have heard of PCI compliance typically don't know the standard applies to them. They assume PCI compliance is only for the "big guys" or e-commerce merchants.
Those who realize PCI compliance does apply to them often approach it as a perfunctory process. The benefits of better security often aren't clear to them, and they don't realize breaches could be catastrophic for their businesses.
Acquirers are required to develop a plan to address and educate small merchants about the PCI DSS. The PCI Security Standards Council (SSC) provides basic air cover, but acquirers that take a proactive, targeted approach to engage Level 4 merchants with a variety of educational materials and tactics will become valuable partners to their merchants and gain a competitive advantage.
Education should be a significant component of any acquirer's comprehensive merchant outreach strategy to drive PCI compliance. Examples of helpful educational tools for small merchants include:
- FAQs tailored to Level 4 merchants
- PCI DSS basics
- Tools to help merchants determine their PCI Self-Assessment Validation category and whether they require quarterly scans
- Overview of the risks merchants face if they are not PCI compliant
Additionally, acquirers should advise small merchants against storing credit card data without a compelling business reason for doing so, and direct them to use Payment Application DSS-compliant applications. That way, small merchants will experience a simpler path to PCI compliance and reduce their risk of data compromise.
Challenge 2: Lack of technical expertise
Most small merchants have few or no technical staffers to manage the PCI compliance process. All of them are required to complete Self Assessment Questionnaires (SAQs) annually and maintain compliance throughout the year. Many have problems answering basic questions in the SAQ because the language is often aimed at technical users.
Questions like the following frequently arise:
- What validation type am I?
- What is a payment application?
- What is encrypted data?
- What is a firewall?
- How do I know if I'm storing prohibited card data?
Level 4 merchants typically have no idea how credit card data flows through their businesses, and most don't have security awareness programs to educate employees on best practices for ensuring the security of cardholder information. Thus, they are highly reliant on outside parties, including their acquirers or POS equipment vendors, and often receive conflicting advice.
Acquirers can help reduce confusion by providing small merchants with guidelines to answer SAQ questions that are specific to each merchant's environment. This makes it easier to complete the SAQ and improves the quality of responses. Acquirers may also want to consider providing security awareness training, in everyday language, to provide fundamental information small merchants need to guard against data compromises.
Going forward, acquirers may want to establish processes for obtaining sufficient information about their merchants' environments that will enable them to answer certain questions, such as what payment application a given merchant uses. This data could be pre-entered in an online SAQ to make the process easier and less frustrating for the merchant.
Challenge 3: Diverse merchant environments
Small merchants often need multiple touch points to become knowledgeable and engaged in the PCI compliance process. Retailers lacking computer or e-mail access present acquirers with challenges regarding how to fully track and convey compliance rates for their small merchant portfolios.
Acquirers must be prepared to provide paper versions of the SAQ to merchants without online access. Moreover, acquirers should develop a content management and reporting strategy for these one-off measures. This will ensure they maintain a holistic view of compliance for their merchant portfolios.
Acquirer portfolios frequently consist of large concentrations of non-English speaking merchants, which compounds the difficulty of the entire compliance process. While the PCI SSC provides the SAQ in English and six other languages, acquirers still face the issue of providing training and technical support to help merchants answer the questions effectively. Acquirers will need to formulate plans to provide the SAQ and support for completing the SAQ in multiple languages.
Challenge 4: Web site vulnerabilities
Small merchants with externally facing Internet Protocols (IPs) must complete quarterly vulnerability scans (SAQ Validation types 4 and 5) to comply with the PCI DSS. Small merchants face unique challenges in complying with this requirement.
Before scanning even begins, small merchants typically ask basic questions, including:
- What is an externally facing IP?
- What do I need to scan?
- How do I find my firewall password?
- Do I need to scan my POS system that is connected to the Internet?
Most vulnerabilities found in small merchant scanning results require assistance from outside vendors to remediate. For example, dangerous structured query language injection and cross-site scripting vulnerabilities require a programmer to remediate; however, most merchants don't have a programmer in-house and are often not sure whom to commission.
The merchant's host also plays a role in remediating vulnerabilities, and while there are many cooperative hosts, some are not willing to make the changes required to bring the merchant into compliance.
Changes to consider
Developing and implementing a successful Level 4 compliance program is not easy, but acquirers that take the time to develop a plan that anticipates the unique challenges their small merchants face upfront will increase the likelihood of realizing much higher compliance rates and less merchant frustration.
Acquirers that don't have the time and resources to dedicate to comprehensive PCI compliance should consider partnering with a company that specializes in PCI compliance for small merchants.
Different deployment options exist, ranging from full outsourcing to a hybrid model, where an acquirer's support team is trained to handle some aspects of support. This helps ensure the acquirer is equipped with knowledge to answer basic technical questions that often stall merchants early in the PCI compliance process.
Security is becoming increasingly multilayered and complex, so even those with expertise have difficulty configuring security tools correctly. Acquirers managing a PCI compliance program should be prepared to "get in the trenches" to effectively support their merchants.
Whether managed in-house or externally though a third-party, a well-executed PCI program helps acquirers reduce risk and provides an opportunity for them to take a leadership position and establish stronger relationships with their merchants.
Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at email@example.com or 800-825-3301.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.