The Green Sheet Online Edition
September 09, 2013 • Issue 13:09:01
PCI compliance gets easier with SmartSAQ
The payments industry has seen significant improvement in data security practices since the advent of the Payment Card Industry (PCI) Data Security Standard (DSS) seven years ago. According to a 2010 Visa Inc. report, the Level 1 merchant compliance rate had climbed from 12 percent to 96 percent since 2006. The report also indicated higher compliance among Level 2 category merchants, clocking them in at an overall rate of 95 percent. However, the same study also showed marginal compliance improvement within the Level 3 and 4 merchant brackets.
In 2009, ControlScan launched its inaugural study aimed at understanding Level 4 merchant security behaviors and awareness of PCI compliance. In November 2012, the fourth iteration of this annual study provided current data on perceptions and attitudes small to midsize businesses have about security. ControlScan's 2012 study, which incorporated feedback from over 600 respondents, revealed ongoing improvements within the Level 4 business category, but much of that progress was made by larger Level 4 merchants or those conducting business online.
Moreover, according to the report, 47 percent of respondents "are 'unsure' or 'not at all' familiar with the PCI DSS." Also, while merchants who reported familiarity with PCI practices indicated they also felt their businesses were more secure, 79 percent of all respondents stated they felt they were not at risk of a data security breach.
A way to lighten the load
These findings, along with input gathered from call center data and the company's merchant service provider (MSP) clients, led ControlScan leaders to address ongoing Level 4 PCI awareness and compliance issues. They identified a key barrier to compliance: the length of time required for small business merchants to complete the annual self-assessment questionnaire (SAQ). Thus, ControlScan set out to create an automated SAQ tool that would reduce completion time and simplify the process. And on Aug. 13, 2013, ControlScan introduced the SmartSAQ to its portfolio of merchant services companies.
Steve Robb, ControlScan's Senior Vice President of Products and Services, described the tool's value, stating, "The key word is familiarity: the first thing merchants will notice when they log into SmartSAQ is the inviting and intuitive interface. In addition, MSPs who deploy SmartSAQ to their merchants can easily conform its presentation to their own brand, meaning that the merchant easily recognizes the tool as part of their service arrangement."
The tool also provides an intuitive user-history feature that captures each user's unique information for a database that will pre-populate the appropriate fields on the following year's SAQ. "The nice thing about this tool is that it incorporates many time-saving features so that once the initial validation has taken place, subsequent validations are streamlined even further," Robb noted.
ControlScan reported that the tool has been well received by its MSP customers and that the rollout plan is simple: introduce newly signed merchants to the SmartSAQ at boarding and migrate existing merchants at the time of annual validation. Kyle Spring, Compliance Specialist at Basys Processing, pilot-tested the SmartSAQ. "Now we can provide our merchants a simpler, quicker and more effective way to maintain compliance that doesn't feel like a hassle," he said.
In addition to continuing its annual merchant study, ControlScan plans to track user statistics related to SAQ selection, stopping points and bounce rates. The company intends to compile these metrics in an effort to identify ways to continually improve the SmartSAQ and monitor its impact on future small business compliance ratings.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.