By Joan Herbig
Since 2006, the PCI Security Standards Council (PCI SSC) has been responsible for the development and management of the Payment Card Industry (PCI) Data Security Standard (DSS), which was created to help ensure the safe handling of payment card data by merchants. The council is currently on a three-year cycle for issuing updates, denoting a mature standard.
Over the next year, merchants and their ISOs and acquirers will be faced with adapting to and adopting PCI DSS 2.0. While the updated standard addresses how merchants of all sizes - from Level 1 (those accepting more than 6 million transactions per year) to Level 4, (those accepting fewer than 1 million payments annually) - should protect cardholder data, ISO and acquirer support for each merchant level can vary greatly.
Building stronger merchant relationships and driving higher compliance rates within the Level 4 segment will require an understanding of how PCI DSS 2.0 affects small merchants and how to best communicate these changes to Level 4 merchants.
In October 2010, the PCI SSC introduced PCI DSS 2.0, with an effective date of Jan. 1, 2011. Version 1.2 will remain effective until Dec. 31, 2011, giving ISOs, acquirers and their merchants several months to become familiar with and begin adopting the new standard.
While change is not always well-received, the reality is that moving from PCI DSS 1.2 to 2.0 has addressed a number of merchant-initiated questions and challenges. The council continues to raise awareness of PCI
compliance to ensure that the intent of the requirements are understood and practiced. ISOs, acquirers and merchants should embrace the changes as a better and safer way to conduct business. Small merchants will see the changes manifested mainly in the Self-Assessment Questionnaire (SAQ).
Merchants who qualify for SAQ A (those with cardholder data functions outsourced to a PCI-compliant service provider) and B (those with manual imprinters or dial-up phone lines) will be generally unaffected by PCI DSS 2.0. Their SAQs will largely remain unchanged.
The changes to SAQs C and D and the introduction of SAQ C-VT mostly involve additional clarification and guidance. For example, SAQ C merchants using payment applications connected to the Internet and not electronically storing cardholder data will now have to complete 80 questions. This is more than twice the number that SAQ C 1.2 contains.
There is also an uptick in questions for the already extensive SAQ D. As a result, merchants who do not qualify for one of the reduced SAQs, or who store cardholder data, will now have to tackle more than 280 questions instead of the current 226. An additional and significant change is the inclusion of SAQ C-VT. This reduced SAQ C form - with just 51 questions - is designed for virtual terminal users accessing their PCI compliance service provider's solution from a computer isolated in a single location.
To be eligible for this shortened SAQ C, merchants must manually key the payment information into an Internet-based virtual terminal and cannot use any type of swipe device. One of the key benefits of qualifying for this form is that the quarterly external and internal vulnerability scanning requirement is waived.
While the changes may sound intimidating and time consuming, the incremental questions are aimed at helping merchants further understand and comply with the PCI requirements. This is a positive development for merchants who self-validate their PCI compliance.
The size of Level 4 merchants tends to drive how they perceive data security and determine the steps they take to protect sensitive information. For example, ControlScan's latest Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, completed in conjunction with Merchant Warehouse, indicates 53 percent of Level 4 merchants rated data security as a high priority, but 55 percent of all respondents said they were unsure of or not at all familiar with the PCI DSS.
Many merchants assume that because they don't handle a high number of transactions, they are less likely to be the victim of a data breach. The PCI compliance trends survey shows 84 percent of merchants (retail and online) perceive their data security risk to be low.
ISOs and acquirers should view PCI DSS 2.0 as an opportunity to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security posture through adherence to the standard. By tailoring education and outreach to a merchant's size, resources and knowledge level, payments service providers not only increase their portfolio compliance rates, but also strengthen their merchant relationships.
Just as one size does not fit all within the Level 4 category, generalized PCI DSS 2.0 assistance will not advance compliance. Small merchants will turn to their ISOs and acquirers for context as they go through the compliance process, so they can understand the basics of PCI compliance and receive the tactical guidance needed to adhere to PCI DSS 2.0.
Since security, like insurance, does not generate revenue for merchants, education cannot be a hard sell. Instead, you should help Level 4 merchants understand what PCI DSS 2.0 is, why they are required to comply and how it benefits them. Small merchants who receive effective education often shift from a reactionary posture to a proactive attitude toward security.
Joan Herbig is Chief Executive Officer for Atlanta-based ControlScan, a provider of PCI compliance solutions that fit the specific needs of small to medium-sized merchants. Herbig is active in the PCI security and payments communities, where she is often asked to speak, and leads education sessions for the Electronic Transactions Association. Contact her at email@example.com or 800-825-3301.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next