The Green Sheet Online Edition
November 23, 2009 • Issue 09:11:02
Assistance with self-assessment
According to Tim Cranny, Chief Executive Officer of payment security consulting firm Panoptic Security Inc., the Self Assessment Questionnaires (SAQs) used for Payment Card Industry (PCI) Data Security Standard (DSS) compliance - which pose a number of security questions to merchants to help ensure that their payment networks are properly fortified - misguidedly transfer the responsibility of payment security to the wrong party.
"Historically these merchant vendors have taken the right approach, which is don't you worry about it - we'll take care of it," Cranny said. "PCI just cuts directly across that common-sense approach because it requires the merchant to answer questions."
Payment network security, including the SAQ, can be a daunting task, particularly for merchants with little or no understanding of security technology. With that in mind, Panoptic has developed a software program that, combined with a quick human screening process, can reduce the burden of the SAQ dramatically, according to Panoptic.
The program, known as ExpertPCI, is designed to weed out from SAQs (which can be hundreds of questions long) questions that either do not pertain to a given merchant or can be better handled by a more knowledgeable security provider.
"This has two payoffs," Cranny said. "It significantly helps the merchant by making the whole process simpler, faster and more accurate, but it also helps the partners, whether they are the ISO or the POS vendor et cetera. It means all the good they do is captured accurately for the merchant. ... The merchant knows, 'Hey, it turns out 50 problems have already been taken care of by my payment application vendor.'"
The human side of the process is simple: Panoptic works with ISOs to determine precisely the kind of payment acceptance and networking equipment their merchants are using. Cranny said the process tends to go speedily, aided by the fact that ISOs often sell the same types of services to most or all of their merchants.
Using the information thus obtained, the ISO then programs it into the ExpertPCI software program, which in turn does a few things. One, it determines which SAQ (A, B, C or D) the merchant needs to fill out; two, it eliminates the SAQ questions that aren't relevant to a given merchant; and three, it answers questions that a typical merchant would struggle with.
The result, Cranny said, is a truncated, streamlined questionnaire in which all the questions that remain are manageable for the client.
"Anything that can be done for the merchant is done for the merchant, whether that's making the question disappear or actively generating an answer for them and giving them advice about what to do," Cranny said.
"For example, if a merchant has no other cardholder data handling other than their payment application, and that payment application does not store cardholder data, we know that merchant overall does not store cardholder data, so there are literally dozens of questions that become irrelevant.
"In other cases, we actually know that if the merchant has a problem, we identify why they have a problem and what can be done to fix it."
Cranny added that merchants are usually left with questions they are uniquely qualified to answer.
"PCI is so broad you will always have questions that can't be answered through this system, like those to do with physical security or how you train and bring on new staff," Cranny said. "Those are questions that cannot be made to go away by any box or technology. ... It falls pretty neatly into two camps: the categories the merchant can answer and the categories the merchant cannot answer but we can for them."
Panoptic Security Inc.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.