IMGCAP(1)]
Tax-paying citizens may grumble about the dues they pay their respective governments, but at least those with simpler finances generally have simpler tax-reporting forms. Now merchants similarly have appropriately sized self-assessment questionnaires to lessen the pain of complying with the Payment Card Industry Data Security Standard.
Some security experts suggest further tweaks are needed to the language of the new evaluations. But even they have joined with merchants, acquirers and security-services providers in lauding the introduction of four versions of the questionnaires that address the five common ways most merchants accept and handle cardholder data.
The Payment Card Industry Data Security Standard is a set of security rules for protecting cardholder data that merchants who accept Visa, MasterCard, American Express, Discover and JCB credit or debit cards must follow.
The PCI Security Standards Council designed the self-assessment questionnaires so small and mid-sized merchants could self-validate their compliance with the PCI standard. Large merchants generally do not self-assess their compliance. But merchants that payment card brands allow to self-evaluate may be required to complete compliance tasks, such as periodically using vendors approved by card networks to scan their electronic networks for security vulnerabilities.
The updated questionnaire choices are a welcome, "long-overdue" change from when merchants had to fill out the same 11-page form regardless of how they handled card data, says Gartner Group analyst Avivah Litan.
"This was a big issue for merchants because they would take a look at the (old) self-assessment questionnaire and scratch their heads and say, 'This doesn't apply to my environment. How do I answer this?'" Litan says. "You shouldn't have dry cleaners filling in 250 questions when all they have is a dial-up modem and imprint machine."
Which questionnaire a merchant should complete depends not on its size but on how it handles card transactions.
The 11-question version A self-assessment questionnaire is for card-not-present merchants that interact with consumers only via the Internet, mail-order and telephone, if those merchants avoid collecting or even seeing card data by outsourcing all card-payment functions to third parties.
Merchants that collect in-person card transactions using low-tech "knuckle-buster" imprint devices, which capture onto paper forms the raised letters and numbers from the fronts of cards, fill out version B, which has 21 questions. Merchants using stand-alone payment terminals that do not electronically store cardholder data also complete version B.
Merchants using point-of-sale systems connected to the Internet but do not electronically store cardholder data fill out the 38-question version C questionnaire. The 226-question version D is for all other merchants and payment-services providers that any of the card networks say must complete a self-assessment questionnaire.
The new versions range from six pages to 30 pages. Merchants decide which version to use, unless their acquirer determines another version is appropriate.
As chief compliance officer for merchant acquirer Chase Paymentech Solutions LLC, Mike Herman welcomes continued clarification of the PCI Data Security Standard.
"We're happy about the questionnaire," Herman says. "The questions are directly connected to satisfying the standard."
Easier To Promote?
Indeed, the lack of irrelevant self-assessment questions makes the PCI rules much easier to pitch to mom-and-pop merchants, says Aliki Liadis-Hall, operations manager for JetPay LLC, a Carrolton, Texas-based merchant-services provider. "The simplification of the questionnaire will improve the likelihood of Level 4 merchants complying with the regulations as the different versions are now more specific to the merchants' payment-acceptance type," Liadis-Hall says.
The revised questionnaires also will help teach small merchants how to protect credit and debit card transactions and data, says Bob Aguirre, who manages security and risk for Group ISO Inc., an Irvine, Calif.-based merchant-service provider.
For example, in version B of the questionnaire, merchants receive a mini card-security lesson and jargon thesaurus while being asked to confirm their compliance with the following statement: "Do not store the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternately called full track, track, track 1, track 2, and magnetic stripe data."
Other compliance statements merchants must confirm highlight other rules, such as not storing card validation codes or personal identification numbers.
"Since these guidelines have been revised, [the PCI council] is actually looking at ways other parts of the industry are affected by PCI and the concepts of security," Aguirre says. "Any time you simplify something and make it more understandable, you get better results."
Liadis-Hall and Aguirre both stress that simplified questionnaires do not mean most merchants will learn and keep up to date with PCI rules on their own. Merchant-services providers still should educate their merchant customers about the standards.
The PCI council held a free Web seminar in February to explain the new questionnaires to merchants. Some of the questions read during the question-and-answer session following the presentation were elementary, such as "What is a PAN?" The moderator directed merchants to call their acquirers for answers to many, more-complex PCI questions.
More Calls
Acquirers soon started calling the PCI council and card brands for advice about answers to give merchants calling with new questions about the questionnaire, says Glenn Boyet, a council spokesperson.
He says the council plans to offer more educational sessions and documents on the questionnaires and other PCI topics. "What we've heard in general is we have to put more information out for acquirers," Boyet says. "We have to educate on both ends, for those who live, eat and breathe this stuff and for the end-user."
Dave Glaser, vice president of professional services at CyberSource Corp., a Mountain View, Calif.-based provider of third-party payment processing services for Internet merchants, says his company is getting many questions from existing and potential customers about which form they should complete. Most want to complete the 11-question version A of the form, which is driving more to outsource their card-payment functions to third parties such as CyberSource, he says.
"If a merchant doesn't have to store any credit card data in their systems at all, then PCI compliance becomes that much easier," Glaser says.
But sometimes merchants do not realize they still are running somewhere on their networks payment data-gathering software that needs to be removed or disabled before they qualify for version A, he adds.
Some Language Vague
Litan says some merchant and acquirer confusion might arise from some vague patches of language in the questionnaires.
For example, the council planned to take under the PCI umbrella Visa's Payment Application Best Practices Standard this spring and rename it the Payment Application Data Security Standard. However, instructions for version C do not discuss the requirement that those businesses comply with the renamed standard.
Because the council had not yet taken over the rules from Visa before it released the updated questionnaires, the questionnaire instructions simply note that merchants must make sure their payment-software vendors use "secure techniques to provide remote support to the merchant's payment application system."
"That's so vague to say 'secure.' Everyone has their own definition," Litan says, suggesting the council should have implemented the Payment Application Data Security Standard before issuing the new questionnaires and instructions.
The expected arrival of the new payment-application standard some time this spring leaves a lot of vendors and their potential customers in limbo until they know the specific wording of the new rules. "There's a lot of waiting around until the standards are clarified," Litan says.
Herman says he is glad the self-assessment questionnaires are finally released, even though they likely will be tweaked in the future to incorporate changes to the PCI rules. As a PCI Council advisory board member, Herman reviewed drafts of the new questionnaires last summer and provided comments about them to the council by September.
The "sunset period" on the old version 1.0 of the questionnaires is April 30, which means merchants have until then to submit older versions of the questionnaire they may already have started. After that, they must submit the new questionnaires.
"We thought the questionnaire would come out a month or two earlier than it did," Herman says. "It's got a real short sunset period, and merchants are kind of surprised about that. Acquirers are deciding whether they're going to live with that sunset if someone submits the questionnaire and you get it on June 1."
Despite minor complaints about the timing of various PCI rules releases and the usual questions about how to interpret PCI language, sources unanimously tell Cards&Payments they are happy the new questionnaires have arrived. They say the choice of four versions of the questionnaire, instead of just one, will help merchants focus their compliance efforts on the rules that relate to their operations. CP
