The Green Sheet Online Edition
February 25, 2008 • Issue 08:02:02
Online survival in the PCI wilderness
Merchants are increasingly aware of the PCI DSS Self-Assessment Questionnaire (SAQ), a self-assessment that all merchants who accept payment cards are mandated to perform every year.
First the toolkit determines how the merchant handles electronic transactions - such as by a POS terminal or online - and tailors the questions to fit those criteria.
Then the system presents the merchant a series of questions one at a time, the answers to which account for every facet of the SAQ.
Unlike the SAQ itself, the questions in the toolkit are worded simply and intelligibly so that most merchants, regardless of their technical background or expertise in PCI, can answer the questions with yes, no or I don't know.
Methodically, step by step, the user interface asks the merchant questions. The answer to one question logically gives rise to the next. In this logic tree, if the merchant does not know the answer to a particular question, the merchant can skip it and go to the next question.
The unanswered question is sent to the back of the logic tree. But the question will always return, and it will be presented up to three times. And if it's skipped the third time, the question will be put on a task list.
To help the merchant avoid mistakes - and reassure the ISO that the merchant is answering the questions honestly - questions are repeated, but phrased differently, like a polite prosecutor cross-examining a witness in a court of law.
But the questions are less a grilling and more of a search to determine how far along merchants are toward PCI compliance.
Along the way, merchants will likely learn much about the various aspects of compliance - and their own businesses - as they answer the questions, since links are provided for the terminology that appears in each question.
Clicking on a link takes the merchant to a concisely worded definition of the term. Appropriate tips and explanations are also provided to help merchants better understand the complexities of PCI.
The service also functions like an online form filler that automates the tedious labor of filling out a consumer's personal information when making an online purchase.
As each question is answered, the toolkit simultaneously populates all SAQ questions pertinent to that response, saving the merchant the time and the headache of having to duplicate the same information across many questions.
As the toolkit guides the merchant through the SAQ, the service compiles a customized task list that addresses critical issues the merchant must address in order to gain compliance.
The merchant can tackle any issue on that list in any order. And when the issue has been resolved, the toolkit automatically updates the SAQ to include the amended information.
In this way, the online PCI Toolkit is immersive and interactive and lets merchants proceed at their own pace.
The toolkit also assists merchants in the area of the quarterly network security scan required under PCI DSS. Merchants who have terminal-based POS systems or who have no Internet connectivity do not have to perform this task.
But all other merchants do, which means contracting with an approved scanning vendor (ASV) to fulfill this PCI mandate.
According to Federgreen, the online PCI Toolkit is designed to be ASV-neutral. Therefore, it is compatible with all ASV companies - a feature, said Federgreen, that is unique to the toolkit.
So merchants who are required to perform quarterly security scans can use the toolkit without upsetting their established relationships with ASV vendors.
But that is only the merchant side of the equation, since the PCI toolkit is just as much a tool for ISOs as well.
Since the card Associations have put merchant PCI compliance squarely on the shoulders of the merchants' acquirers (it is the ISO/acquirer/merchant bank that is fined by Visa Inc. and MasterCard Worldwide if a merchant is noncompliant, not the merchant), it is incumbent on ISOs to keep abreast of their merchants' progress toward meeting the PCI standards.
ISOs are under pressure from their sponsoring banks to better manage their merchant client portfolios. If an ISO cannot bring its merchants in line with PCI compliance, the ISO is in jeopardy of being dropped by its acquiring bank altogether.
So ISOs must closely monitor and control their merchants' progress toward compliance.
The PCI Toolkit allows ISOs to monitor merchants' activities in the PCI arena. On a live, real-time basis, parties can determine which questions the merchants have answered, which questions have not been answered and the timeframe for when the activities under question took place.
All merchant actions when using the online PCI Toolkit are time-stamped. This way, acquirers can derive valuable information on any given merchant's PCI status.
Thus, the toolkit helps ISOs manage and assess the risk level of every merchant in their portfolios. According to Federgreen, some ISOs have expressed concern that merchants might dump their ISOs if required to answer PCI's SAQ.
"But there is no place [for the merchant] to hide," Federgreen said. And, anyway, ISOs want "solid, well-performing merchants, not rogue merchants not playing by the rule book."
Merchant retention is at the forefront of every ISO's business strategy. Federgreen pointed out that the online toolkit can be used to persuade merchants that the ISOs they have partnered with are truly dedicated to the financial and regulatory well-being of their merchants.
Additionally, the service can be used as a marketing device for new merchants, showing potential clients that the merchants already under an ISO's banner are compliant, or well on their way to becoming so - a community that like-minded merchants would desire to join.
In addition, for the appraisal of the market value of an ISO's portfolio, the toolkit can demonstrate that an ISO whose portfolio shows a preponderance of PCI compliant merchants will command a higher selling price.
According to Federgreen, the online toolkit is an improvement over CSRSI's hardcopy version, which was published a year ago.
Unlike the book, the online toolkit can be quickly updated when rules and regulations are changed or new ones imposed.
On Feb. 6, 2008, for instance, a new, updated version of the SAQ, called SAQ 1.1, was released by the PCI Security Standards Council.
The toolkit is only available to ISOs. Based upon the size of an ISO's portfolio, the price per MID (merchant identification) can range from $3.70 to under $2 per month.
The service can then be sold at markup to the merchant, thereby creating a new revenue stream for ISOs and MLSs. For more information, contact Federgreen at firstname.lastname@example.org.
CSRSI: The Payment Advisors
866-462-7774, ext. 1
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.