GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The squeeze in merchant cash advance


Industry Update

The VeriFone, Heartland rift

CIT seeks smooth reorganization

Optimizing online holiday sales

LINC-ed up in Sacramento

Remote debit gets a voice


Research Rundown

Taking top strategies to market

Selling Prepaid

Prepaid in brief

Clinical trial payments on plastic

Rebate chic

Retailer-centric PM lands AmEx deal


Regulatory reforms loom

Patti Murphy
The Takoma Group


Street SmartsSM:
How much do you factor in price?

Jon Perry and Vanessa Lang

Timing is everything

Bob Schoenbauer
Capitol Payment Systems Inc.

Hazards of chargeback monitoring

Ken Musante
Moneris Solutions

Protect your investment through non-competition agreements

Sarah Weston
Jaffe, Raitt, Heuer & Weiss PC

Scrooge, a lesson in leadership

Dale S. Laszig
DSL Direct LLC

How to grow your merchant portfolio

Jeffrey I. Shavitz
Charge Card Systems Inc.

Company Profile

LIFT Network

New Products

Assistance with self-assessment

Panoptic Security Inc.

NFC-enabling sticker

Tetherball Tag
ViVOtech Inc., Tetherball LLC


Give props to the POS



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

November 23, 2009  •  Issue 09:11:02

previous next

New Products

Assistance with self-assessment

Product: ExpertPCI

According to Tim Cranny, Chief Executive Officer of payment security consulting firm Panoptic Security Inc., the Self Assessment Questionnaires (SAQs) used for Payment Card Industry (PCI) Data Security Standard (DSS) compliance - which pose a number of security questions to merchants to help ensure that their payment networks are properly fortified - misguidedly transfer the responsibility of payment security to the wrong party.

"Historically these merchant vendors have taken the right approach, which is don't you worry about it - we'll take care of it," Cranny said. "PCI just cuts directly across that common-sense approach because it requires the merchant to answer questions."

Payment network security, including the SAQ, can be a daunting task, particularly for merchants with little or no understanding of security technology. With that in mind, Panoptic has developed a software program that, combined with a quick human screening process, can reduce the burden of the SAQ dramatically, according to Panoptic.


The program, known as ExpertPCI, is designed to weed out from SAQs (which can be hundreds of questions long) questions that either do not pertain to a given merchant or can be better handled by a more knowledgeable security provider.

"This has two payoffs," Cranny said. "It significantly helps the merchant by making the whole process simpler, faster and more accurate, but it also helps the partners, whether they are the ISO or the POS vendor et cetera. It means all the good they do is captured accurately for the merchant. ... The merchant knows, 'Hey, it turns out 50 problems have already been taken care of by my payment application vendor.'"

The human side of the process is simple: Panoptic works with ISOs to determine precisely the kind of payment acceptance and networking equipment their merchants are using. Cranny said the process tends to go speedily, aided by the fact that ISOs often sell the same types of services to most or all of their merchants.

Using the information thus obtained, the ISO then programs it into the ExpertPCI software program, which in turn does a few things. One, it determines which SAQ (A, B, C or D) the merchant needs to fill out; two, it eliminates the SAQ questions that aren't relevant to a given merchant; and three, it answers questions that a typical merchant would struggle with.

The result, Cranny said, is a truncated, streamlined questionnaire in which all the questions that remain are manageable for the client.

"Anything that can be done for the merchant is done for the merchant, whether that's making the question disappear or actively generating an answer for them and giving them advice about what to do," Cranny said.

"For example, if a merchant has no other cardholder data handling other than their payment application, and that payment application does not store cardholder data, we know that merchant overall does not store cardholder data, so there are literally dozens of questions that become irrelevant.

"In other cases, we actually know that if the merchant has a problem, we identify why they have a problem and what can be done to fix it."

Qualifying questions

Cranny added that merchants are usually left with questions they are uniquely qualified to answer.

"PCI is so broad you will always have questions that can't be answered through this system, like those to do with physical security or how you train and bring on new staff," Cranny said. "Those are questions that cannot be made to go away by any box or technology. ... It falls pretty neatly into two camps: the categories the merchant can answer and the categories the merchant cannot answer but we can for them."

Panoptic Security Inc.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios