A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

March 14, 2011 • Issue 11:03:01

Helping Level 4 merchants comply with PCI DSS 2.0

By Joan Herbig

Since 2006, the PCI Security Standards Council (PCI SSC) has been responsible for the development and management of the Payment Card Industry (PCI) Data Security Standard (DSS), which was created to help ensure the safe handling of payment card data by merchants. The council is currently on a three-year cycle for issuing updates, denoting a mature standard.

Over the next year, merchants and their ISOs and acquirers will be faced with adapting to and adopting PCI DSS 2.0. While the updated standard addresses how merchants of all sizes - from Level 1 (those accepting more than 6 million transactions per year) to Level 4, (those accepting fewer than 1 million payments annually) - should protect cardholder data, ISO and acquirer support for each merchant level can vary greatly.

Resources for PCI compliance

  1. PCI for small merchants:
    click here

  2. PCI updates and deadlines:
    click here

  3. PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0:
    click here

  4. Annual Industry Survey of Level 4 Merchant PCI Compliance Trends:
    click here .

In addition, merchant level salespeople, ISOs and acquirers should rely heavily on their PCI compliance providers for assistance with merchant education and outreach. Solution providers are often in the best position to provide organizational guidance on how to set expectations for merchants and to supply tactical information on how to fill out a longer SAQ.

In many cases, merchant outreach is a service offered to educate merchants on PCI compliance and to help gauge where they are in the process. It's also productive to think of it as an opportunity to strengthen your relationships with them. In the end, however, it saves time and is far more cost effective to leverage your relationship with an existing solution provider and its expertise than to create a PCI compliance education campaign from scratch.

Building stronger merchant relationships and driving higher compliance rates within the Level 4 segment will require an understanding of how PCI DSS 2.0 affects small merchants and how to best communicate these changes to Level 4 merchants.

A closer look at PCI DSS 2.0

In October 2010, the PCI SSC introduced PCI DSS 2.0, with an effective date of Jan. 1, 2011. Version 1.2 will remain effective until Dec. 31, 2011, giving ISOs, acquirers and their merchants several months to become familiar with and begin adopting the new standard.

While change is not always well-received, the reality is that moving from PCI DSS 1.2 to 2.0 has addressed a number of merchant-initiated questions and challenges. The council continues to raise awareness of PCI

compliance to ensure that the intent of the requirements are understood and practiced. ISOs, acquirers and merchants should embrace the changes as a better and safer way to conduct business. Small merchants will see the changes manifested mainly in the Self-Assessment Questionnaire (SAQ).

Changes to various SAQs

Merchants who qualify for SAQ A (those with cardholder data functions outsourced to a PCI-compliant service provider) and B (those with manual imprinters or dial-up phone lines) will be generally unaffected by PCI DSS 2.0. Their SAQs will largely remain unchanged.

The changes to SAQs C and D and the introduction of SAQ C-VT mostly involve additional clarification and guidance. For example, SAQ C merchants using payment applications connected to the Internet and not electronically storing cardholder data will now have to complete 80 questions. This is more than twice the number that SAQ C 1.2 contains.

There is also an uptick in questions for the already extensive SAQ D. As a result, merchants who do not qualify for one of the reduced SAQs, or who store cardholder data, will now have to tackle more than 280 questions instead of the current 226. An additional and significant change is the inclusion of SAQ C-VT. This reduced SAQ C form - with just 51 questions - is designed for virtual terminal users accessing their PCI compliance service provider's solution from a computer isolated in a single location.

To be eligible for this shortened SAQ C, merchants must manually key the payment information into an Internet-based virtual terminal and cannot use any type of swipe device. One of the key benefits of qualifying for this form is that the quarterly external and internal vulnerability scanning requirement is waived.

While the changes may sound intimidating and time consuming, the incremental questions are aimed at helping merchants further understand and comply with the PCI requirements. This is a positive development for merchants who self-validate their PCI compliance.

What ISOs and acquirers can do now

  • Set a context for PCI DSS 2.0 through email, direct mail or one-on-one communication with Level 4 merchants. Start with general information about PCI DSS 2.0. Next, send SAQ-specific information on how to prepare for each questionnaire, tailored to the merchant's specific processing method. Finally, monitor the merchant through PCI compliance.
  • Put special educational programs, such as an outbound calling campaign, in place for merchants with varied payment environments.
  • Team with small merchants to mentor them through the PCI DSS compliance.
  • Encourage merchants to not store cardholder data, and explain to them the benefits that result, such as risk reduction and a reduction in the amount of effort required to comply with PCI.

The Level 4 merchant mindset

The size of Level 4 merchants tends to drive how they perceive data security and determine the steps they take to protect sensitive information. For example, ControlScan's latest Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, completed in conjunction with Merchant Warehouse, indicates 53 percent of Level 4 merchants rated data security as a high priority, but 55 percent of all respondents said they were unsure of or not at all familiar with the PCI DSS.

Many merchants assume that because they don't handle a high number of transactions, they are less likely to be the victim of a data breach. The PCI compliance trends survey shows 84 percent of merchants (retail and online) perceive their data security risk to be low.

ISOs and acquirers should view PCI DSS 2.0 as an opportunity to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security posture through adherence to the standard. By tailoring education and outreach to a merchant's size, resources and knowledge level, payments service providers not only increase their portfolio compliance rates, but also strengthen their merchant relationships.

Educating merchants on PCI DSS 2.0

Just as one size does not fit all within the Level 4 category, generalized PCI DSS 2.0 assistance will not advance compliance. Small merchants will turn to their ISOs and acquirers for context as they go through the compliance process, so they can understand the basics of PCI compliance and receive the tactical guidance needed to adhere to PCI DSS 2.0.

Since security, like insurance, does not generate revenue for merchants, education cannot be a hard sell. Instead, you should help Level 4 merchants understand what PCI DSS 2.0 is, why they are required to comply and how it benefits them. Small merchants who receive effective education often shift from a reactionary posture to a proactive attitude toward security. end of article

Joan Herbig is Chief Executive Officer for Atlanta-based ControlScan, a provider of PCI compliance solutions that fit the specific needs of small to medium-sized merchants. Herbig is active in the PCI security and payments communities, where she is often asked to speak, and leads education sessions for the Electronic Transactions Association. Contact her at jherbig@controlscan.com or 800-825-3301.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing