IMGCAP(1)]
Even after hearing an ISO's best spiel on payment card security, some retailers still hesitate to take action.
But that could change. The merchant-acquiring industry is getting some help from the Payment Card Industry Security Standards Council in the struggle to convince retailers of the necessity of security.
The council has updated the self-assessment questionnaire smaller merchants use to figure out how much they are at risk for exposing sensitive transaction data (ISO&Agent Weekly, 2/ 7).
With the release of four simplified versions of the questionnaire—including one for merchants that outsource all of their payment needs and another for those that take imprints only and store no data—ISOs stand a better chance of thwarting card-data breaches at merchant locations, potentially savings thousands of dollars and eliminating a reason for merchants to switch to another ISO.
A Teaching Moment
That possibility of abandonment motivates JetPay LLC, a Carrolton, Texas-based merchant-services provider, to keep merchants up to date with changes in security measures, says Aliki Liadis-Hall, JetPay operations manager.
"The simplification of the questionnaire will improve the likelihood of Level 4 merchants [the group with the fewest card transactions] complying with the regulations as the different versions are now more specific to the merchants' payment-acceptance type," Liadis-Hall says.
The revised questionnaires also help ISOs teach merchants about security and PCI compliance, says Bob Aguirre, who manages security and risk at Group ISO Inc., an Irvine, Calif.-based merchant-service provider.
"Since these guidelines have been revised, [the PCI council] is actually looking at ways other parts of the industry are affected by PCI and the concepts of security," Aguirre says.
"By breaking it down," he explains, "what they're trying to do is make it easier for vendors and merchants. Anytime you simplify something to make it more understandable, you get better results."
But new questionnaires alone will not do enough to improve compliance, Aguirre says. Someone has to relay the information to merchants.
"Merchants aren't going to take the time and look for what happened in the bankcard industry," he says. That is the job of the ISO and its agents, Aguirre says.
At JetPay, Liadis-Hall sees a direct correlation between the merchant's compliance effort and the ISO's outreach.
"Improving compliance is directly relative to the effectiveness of the ISO educating the merchants," she says.
"Having the different classifications will definitely improve our chances of having the merchant understand how important it is, but this alone will not improve compliance," Liadis-Hall says. "Persistence, education and availability of information will escalate the smaller merchants' need to comply with the regulations."
'An Absolute Rat Race'
The updated questionnaires will help ISOs craft their merchant-security pitches, suggests Michael Petitti, chief marketing officer at Chicago-based Trustwave, a data-security company.
"The new self-assessment questionnaire will be helpful, especially for ISOs that board a specific type of merchant, such as dial-up," Petitti says. "For example, based on the new self-assessment questionnaire, the ISO can mandate that a dial-up merchant complete that appropriate SAQ version upon boarding."
For Theodore Svoronos, a Group ISO payment specialist, the payments industry will continue to change. That calls for continuing study.
"We, as industry professionals, have to educate ourselves and impart that knowledge to our merchants and agents," Svoronos says. "If we don't educate the food chain, it will die. It will be an absolute rat race."
