GS Logo
The Green Sheet, Inc

Please Login

Banner Ad
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Congress, Fed pressured to reconsider interchange caps

Patti Murphy
The Takoma Group

News

Industry Update

London steers toward open payments by 2012 Olympics

Merchant coalition backs interchange overhaul

Girl Scout cookie sales go mobile

Trade Association News

Features

Ingredients essential to thriving enterprises

Research Rundown

ISOMetrics:
The rise of the debit card

Measuring your ad's ROO

Selling Prepaid

Prepaid in brief

Has the prepaid tax refund moment arrived?

Compliance partnership made for two

Views

Thoughts on the economy (in hindsight)

Brandes Elitch
CrossCheck Inc.

Cell phones as marketing tools

Steve Schwimmer
Renaissance Merchant Services

Education

Street SmartsSM:
Earning and keeping merchants' trust

Ken Musante
Eureka Payments LLC

It pays to keep your customers happy

Jeffrey Shavitz
Charge Card Systems Inc.

Security in a mobile world

Tim Cranny
Panoptic Security Inc.

Stockholm Syndrome and the payment pro

Jeff Fortney
Clearent LLC

Helping Level 4 merchants comply with PCI DSS 2.0

Joan Herbig
ControlScan

Leads, leads, leads - Part 2: Lead management

Peggy Bekavac Olson
Strategic Marketing

Company Profile

FrontStream Payments Inc.

New Products

A global e-commerce payment solution

Digital River World Payments
Digital River Inc.

Inspiration

The mind's the limit - so expand it

Departments

Forum

Resource Guide

Datebook

Skyscraper Ad

The Green Sheet Online Edition

March 14, 2011  •  Issue 11:03:01

previous next

Helping Level 4 merchants comply with PCI DSS 2.0

By Joan Herbig

Since 2006, the PCI Security Standards Council (PCI SSC) has been responsible for the development and management of the Payment Card Industry (PCI) Data Security Standard (DSS), which was created to help ensure the safe handling of payment card data by merchants. The council is currently on a three-year cycle for issuing updates, denoting a mature standard.

Over the next year, merchants and their ISOs and acquirers will be faced with adapting to and adopting PCI DSS 2.0. While the updated standard addresses how merchants of all sizes - from Level 1 (those accepting more than 6 million transactions per year) to Level 4, (those accepting fewer than 1 million payments annually) - should protect cardholder data, ISO and acquirer support for each merchant level can vary greatly.

#h4 Resources for PCI compliance

  1. PCI for small merchants:
    click here

  2. PCI updates and deadlines:
    click here

  3. PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard version 2.0:
    click here

  4. Annual Industry Survey of Level 4 Merchant PCI Compliance Trends:
    click here .

In addition, merchant level salespeople, ISOs and acquirers should rely heavily on their PCI compliance providers for assistance with merchant education and outreach. Solution providers are often in the best position to provide organizational guidance on how to set expectations for merchants and to supply tactical information on how to fill out a longer SAQ.

In many cases, merchant outreach is a service offered to educate merchants on PCI compliance and to help gauge where they are in the process. It's also productive to think of it as an opportunity to strengthen your relationships with them. In the end, however, it saves time and is far more cost effective to leverage your relationship with an existing solution provider and its expertise than to create a PCI compliance education campaign from scratch.

Building stronger merchant relationships and driving higher compliance rates within the Level 4 segment will require an understanding of how PCI DSS 2.0 affects small merchants and how to best communicate these changes to Level 4 merchants.

A closer look at PCI DSS 2.0

In October 2010, the PCI SSC introduced PCI DSS 2.0, with an effective date of Jan. 1, 2011. Version 1.2 will remain effective until Dec. 31, 2011, giving ISOs, acquirers and their merchants several months to become familiar with and begin adopting the new standard.

While change is not always well-received, the reality is that moving from PCI DSS 1.2 to 2.0 has addressed a number of merchant-initiated questions and challenges. The council continues to raise awareness of PCI

compliance to ensure that the intent of the requirements are understood and practiced. ISOs, acquirers and merchants should embrace the changes as a better and safer way to conduct business. Small merchants will see the changes manifested mainly in the Self-Assessment Questionnaire (SAQ).

Changes to various SAQs

Merchants who qualify for SAQ A (those with cardholder data functions outsourced to a PCI-compliant service provider) and B (those with manual imprinters or dial-up phone lines) will be generally unaffected by PCI DSS 2.0. Their SAQs will largely remain unchanged.

The changes to SAQs C and D and the introduction of SAQ C-VT mostly involve additional clarification and guidance. For example, SAQ C merchants using payment applications connected to the Internet and not electronically storing cardholder data will now have to complete 80 questions. This is more than twice the number that SAQ C 1.2 contains.

There is also an uptick in questions for the already extensive SAQ D. As a result, merchants who do not qualify for one of the reduced SAQs, or who store cardholder data, will now have to tackle more than 280 questions instead of the current 226. An additional and significant change is the inclusion of SAQ C-VT. This reduced SAQ C form - with just 51 questions - is designed for virtual terminal users accessing their PCI compliance service provider's solution from a computer isolated in a single location.

To be eligible for this shortened SAQ C, merchants must manually key the payment information into an Internet-based virtual terminal and cannot use any type of swipe device. One of the key benefits of qualifying for this form is that the quarterly external and internal vulnerability scanning requirement is waived.

While the changes may sound intimidating and time consuming, the incremental questions are aimed at helping merchants further understand and comply with the PCI requirements. This is a positive development for merchants who self-validate their PCI compliance.

#h4 What ISOs and acquirers can do now

  • Set a context for PCI DSS 2.0 through email, direct mail or one-on-one communication with Level 4 merchants. Start with general information about PCI DSS 2.0. Next, send SAQ-specific information on how to prepare for each questionnaire, tailored to the merchant's specific processing method. Finally, monitor the merchant through PCI compliance.
  • Put special educational programs, such as an outbound calling campaign, in place for merchants with varied payment environments.
  • Team with small merchants to mentor them through the PCI DSS compliance.
  • Encourage merchants to not store cardholder data, and explain to them the benefits that result, such as risk reduction and a reduction in the amount of effort required to comply with PCI.

The Level 4 merchant mindset

The size of Level 4 merchants tends to drive how they perceive data security and determine the steps they take to protect sensitive information. For example, ControlScan's latest Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, completed in conjunction with Merchant Warehouse, indicates 53 percent of Level 4 merchants rated data security as a high priority, but 55 percent of all respondents said they were unsure of or not at all familiar with the PCI DSS.

Many merchants assume that because they don't handle a high number of transactions, they are less likely to be the victim of a data breach. The PCI compliance trends survey shows 84 percent of merchants (retail and online) perceive their data security risk to be low.

ISOs and acquirers should view PCI DSS 2.0 as an opportunity to take a leadership role in helping Level 4 merchants understand the importance of bolstering their security posture through adherence to the standard. By tailoring education and outreach to a merchant's size, resources and knowledge level, payments service providers not only increase their portfolio compliance rates, but also strengthen their merchant relationships.

Educating merchants on PCI DSS 2.0

Just as one size does not fit all within the Level 4 category, generalized PCI DSS 2.0 assistance will not advance compliance. Small merchants will turn to their ISOs and acquirers for context as they go through the compliance process, so they can understand the basics of PCI compliance and receive the tactical guidance needed to adhere to PCI DSS 2.0.

Since security, like insurance, does not generate revenue for merchants, education cannot be a hard sell. Instead, you should help Level 4 merchants understand what PCI DSS 2.0 is, why they are required to comply and how it benefits them. Small merchants who receive effective education often shift from a reactionary posture to a proactive attitude toward security.

Joan Herbig is Chief Executive Officer for Atlanta-based ControlScan, a provider of PCI compliance solutions that fit the specific needs of small to medium-sized merchants. Herbig is active in the PCI security and payments communities, where she is often asked to speak, and leads education sessions for the Electronic Transactions Association. Contact her at jherbig@controlscan.com or 800-825-3301.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Harbortouch | USAePay | IRISCRM.COM | Humboldt Merchant Services