By upgrading its compliance-reporting software, ControlScan Inc. plans to save independent sales organizations and merchant acquirers time and money when helping small-business merchants remain compliant with the Payment Card Industry Data Security Standard, the data-security program provider announced Dec. 2.
Adding SmartSync software to ControlScan’s cloud-based PCI Dashboard compliance-management program could alleviate the need to manually retrieve merchant data related to ongoing compliance status, David Aboucher, senior director of product management and support for Atlanta-based ControlScan, tells PaymentsSource.
The reporting system informs ISOs and acquirers how far their merchants have progressed with PCI compliance after ControlScan tests their payment systems, Aboucher says. In addition, the SmartSync upgrade automatically categorizes reports, eliminating the need for the acquirer or one of its employees to download and decipher data, he adds.
Acquirers logging on to access ControlScan and the PCI Dashboard previously would have to download information they sought about a merchant’s latest PCI-compliance testing reports, or the latest updates from the PCI Security Council, to view the information again in the main access to Control Scan, Aboucher says.
SmartSync links to an application interface and retrieves the information and compliance updates the acquirer can set up in categories specific to the merchant, Aboucher adds.
“An acquirer might set up SmartSync to alert him about a merchant’s failure on a recent vulnerability scan or to set up data reports based on the risk level of the merchant,” Aboucher says.
To avoid a scenario in which the acquirer sometimes can overlook noncompliance, the acquirer may set up the system to alert him if a merchant who historically passed compliance tests suddenly fails a vulnerability scan, Aboucher explains. In doing so, the acquirer can alert his merchant of the problem area quickly.
SmartSync can help an acquirer spot a troubling trend with a small-business merchant, but the software does not serve provide true fraud detection, Aboucher notes.
“SmartSync is more about merchant PCI compliance than it is about fraud detection,” Aboucher says. “It does, however, help the acquirer put certain merchants into a ‘watch’ category” if compliance issues become persistent, he adds.
An acquirer or ISO has the option to monitor the PCI Dashboard and SmartSync or pay ControlScan to perform that task, Aboucher says.
“Some acquirers are very hands on about driving their merchants’ PCI efforts, whereas others prefer to have ControlScan handle it,” he adds.
Regardless of who monitors the compliance reports, PCI Dashboard with SmartSync “operates by itself” in categorizing reports, and it saves money for acquirers who can eliminate the time employees spend downloading, compiling and deciphering data, Aboucher says.
In addition, the acquirer’s billing to merchants becomes streamlined through SmartSync because the compliant and noncompliant merchants are displayed in separate files. “If the acquirer charges a higher rate for a noncompliant merchant, the system updates quickly when that merchant becomes compliant and adjusts the rate so the acquirer no longer has to do it manually,” Aboucher says.
Paul Martaus, a merchant-acquiring consultant based in Mountain Home, Ark., tells PaymentsSource ISOs and acquirers will find helpful any service that keeps track of their merchants’ PCI-compliance status.
However, the need for such compliance tracking may be short-lived if the process becomes less complicated through smartcard technology, he contends.
“In the long run, the EMV smartcard initiative of Visa Inc. could reduce PCI scoping and compliance, especially for large retailers and merchants,” Martaus says. “For the smaller merchants serviced by a company like ControlScan, it will likely take a few more years.”
Visa in August announced an initiative to encourage U.S. merchants to accept EMV cards by (
Even if compliance tracking eventually changes, new compliance issues or data-security threats that call for PCI testing and compliance status records likely will unfold, Martaus contends.
“I don’t want to sound cynical, but do some of these acquirers and ISOs really want all of their merchants to be compliant?” Martaus asks. “They can charge a higher rate if the merchant is noncompliant, and at some point someone will have to address what will happen when that revenue is lost.”
Control Scan provides the SmartSync upgrade as part of its basic installation of PCI Dashboard, Aboucher says. As a cloud-based program in a Web-services framework, the dashboard with SmartSync would be available to any ControlScan client, he adds.
What do you think about this? Send us your feedback.
