The Green Sheet Online Edition
July 27, 2009 • Issue 09:07:02
A new software program from Network Merchants Inc. targets what is perhaps the most remediable issue with Payment Card Industry (PCI) Data Security Standard (DSS) compliance: its language.
Using questions, explanations and pictures designed to simplify what many find to be the inscrutably technical language of the PCI regulations, CertifyPCI leads a merchant through the required process of self-assessment - finding and filling out the proper self-assessment questionnaire (SAQ) - whereby it is determined whether all the right measures are in place to ensure compliance and forestall a breach.
"A lot of these merchants are very intimidated by selecting the right [SAQ] document and filling it out and feeling confident filling it out," said Nick Starai, Director of Product Development for NMI.
"What we're trying to attack is really making this process streamlined - making sure we auto-select by a couple choice questions what will make sense to the merchant to pick the right document and walk them through filling it out." CertifyPCI is a hosted software on the NMI gateway, and merchants sign up online to create accounts. No download is required; opening and closing an account simply entails returning to the same Web portal.
Find the right document, fill it out
Essentially, the service does two things. One, it helps merchants determine what SAQ to fill out (the questionnaires differ depending on merchant size and type) through a series of questions; two, it guides them through the document's questions by providing notes and pictures designed to clarify each one.
"[The questions] may be basic, like are you a retail merchant?" Starai said. "A lot of merchants still don't even know what retail means [in payments jargon]. Basically, retail might show pictures of card readers or a credit card showing you have some sort of card in your environment, whereas card-not-present or e-commerce will be a different picture. We find clients will relate a lot easier to something they're used to seeing."
Starai said the program begins by asking merchants a series of questions in "layman's language" to deduce what category they fall in and thus what questionnaire to select. Once the program selects a questionnaire, it sends one last message for the merchant to confirm (or disconfirm) that the selected questionnaire is indeed the right one. Only then does the merchant start on the form.
The service is for merchants who fall into the PCI categories of level 2, 3 or 4 (level 1 merchants - those processing more than 6 million transactions a year - are required to enlist an outside auditor for their PCI compliance checks; they don't typically use SAQs).
"Our system will ask a various amount of questions to determine what of a handful of questionnaires [to use] depending on what type of merchant you are; whether you're a retailer, MO/TO or e-commerce, our system will automatically figure out which questionnaire you should be filling out and then, in line with our Web site's [feedback], you check off the appropriate questions and answers," Starai said.
Proof of completion
When a merchant is done filling out the questionnaire, the program provides a print-out containing all of the information that's been entered, verifying a successful self-assessment and noting the deadline for the next compliance check. The program, according to its proprietors, is updated to stay in line with any changes made to the PCI regulations. "We'll keep tabs and update as needed," said Ted Cucci, Chief Operating Officer of NMI. "We're also members of the PCI Council, so we get every update. We're pretty up on PCI."
Network Merchants Inc.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.