Imagine a stunned ISO executive standing amid the smoking ruins of a data breach and clutching a six-figure bill for the damages. Visions of such scenes are prompting ISOs to take a keen interest in helping their merchants comply with the Payment Card Industry data-security standards designed to prevent such catastrophes, observers say.
That starts with finding the right payment-security vendor, they agree.
"When you think about it, the fines trickle down," says Brenda Pacheco, vice president and operations manager of Granite Payment Alliance LLC, a Roseville, Calif.-based ISO.
ISOs can avoid those fines and provide merchants with help in navigating the road to PCI compliance by choosing the right ISO vendors, observers say.
If a breach affects Visa transactions, Pacheco notes as an example, Visa Inc. fines the bank that sponsors the ISO's processor into the network. The sponsor bank then fines the processor, which may pass it on to the ISO, which will attempt to collect it from the merchant.
An ISO's role in the process varies based on the contract with its sponsor bank.
If the merchant cannot afford to pay the penalty, the ISO gets stuck with the cost of the fine, so PCI compliance "becomes very important at that point," Pacheco says.
"The fines do scare us," agrees Henry Helgeson, co-CEO of Merchant Warehouse Inc., a Boston-based ISO. "They're one of the things driving us to get our merchants compliant."
Because of that concern and other considerations, service often outweighs price when ISOs choose vendors to help merchants avoid data breaches and to comply with PCI fraud-prevention standards, observers say.
PCI vendors guide merchants through the technical twists and turns of PCI self-assessment questionnaires intended to help merchants comply. If necessary, vendors can scan merchants' payment-processing systems for weaknesses hackers could exploit to steal cardholder data and make fraudulent purchases. Once vendors detect those vulnerabilities they can help merchants fix them.
The upside of PCI compliance reviews does not end there, observers say. Occasionally, ISOs may differentiate themselves from competitors by touting the prowess of their vendors, and some ISOs mark up the vendor's services and turn a profit.
In choosing a vendor, ISOs often decide to use a single company and thus qualify for a lower price based on volume, says Brad Caldwell, CEO of SecurityMetrics Inc., an Orem, Utah-based payments security vendor.
The ISO determines how much to charge merchants for the vendor's services, usually picking one of three approaches, says Joan Herbig, CEO of ControlScan Inc., an Alpharetta, Ga.-based PCI provider. They may offer the services for free as a value-added proposition, pass along the actual cost of the services or mark up the price of the services to make a profit, she says.
"The ISOs have their own ways of working with their merchants, depending on the philosophy of the ISO," says Herbig.
Philosophy aside, more ISOs and merchants within the past 18 months have come to accept the necessity of PCI compliance, says Leslie Norris, executive vice president for Panoptic Security Inc., a Salt Lake City-based payments-security firm. "I don't see near as many merchants resisting or asking why; it's a huge migration to PCI awareness," she says.
Among level 4 retailers handling the fewest card transactions, familiarity with PCI standards varies by size, suggest the results of a ControlScan survey of 628 retailers released in November. About 45% of respondents with one to 10 employees reported familiarity, while 91% with more than 50 employees said they were familiar with the standards.
Ease the Burden
Most ISOs' attitudes toward PCI compliance have shifted from nonchalance to conscientiousness, Norris says. ISOs that contact Panoptic for help seem less concerned now about promoting compliance issues as a way to increase market share or build revenue. Instead, they genuinely want their merchants to comply with the standard, but they no longer are working toward that goal by using fees and fines, she says.
In their quest for merchant compliance, ISOs are seeking vendors that can simplify the process, says Pacheco. "I have to have a partner that I'm going to be able to communicate with, that I'm going to be able to trust and that I can rely on to assist my merchants when they need it," she says.
Communication can require "dumbing down" the technical talk associated with PCI compliance so merchants with little interest in technology can understand what they need to do, Pacheco says.
Vendors also help merchants wade through self-assessment questionnaires by asking them to click on a few choices on an electronic form and then using those answers to populate some of the blanks, says Norris. Panoptic's form often fills in 70% of questions and sometimes more than 90%, she says.
Besides making the process easier for merchants, a good PCI vendor eases the burden of compliance for ISOs, according to Merchant Warehouse's Helgeson, whose vendor is ControlScan.
And that includes fielding phone calls from puzzled or irate merchants, he says.
In doing so, ControlScan frees the 40 Merchant Warehouse contact center employees to deal with customer service calls and e-mail messages instead of trying to sort out compliance issues the contact center employees find confusing or too technical, Helgeson says.
Ridding the contact center staff of PCI calls constitutes a human resources issue, he says. "You want to retain quality people," Helgeson says. "You don't want people leaving because somebody doesn't understand" the self-assessment questionnaire.
Pacheco also wants to keep her eight-employee contact center focused on customer service and free of overly technical PCI calls. Her employees feel comfortable answering PCI calls from merchants using dial-up terminals, but they refer calls from Internet-oriented retailers to her ISO's vendor, ControlScan.
The sense of panic that contact-center workers feel when confronted with a technical, confusing or gray PCI query reminds Pacheco of the dread that wells up in a driver when a highway patrol officer pulls up behind the car and turns on the on the squad car's flashing lights.
Besides deflecting complicated incoming calls to sources more knowledgeable in technical matters, vendors can make outgoing calls to merchants to nudge them to take the next step toward compliance.
Pacheco and Helgeson both depend on vendors to take that initiative.
At Merchant Warehouse, Control-Scan calls merchants with the highest risk of data compromise-those that make frequent transactions over with Internet, Helgeson says. The group represents about 5% of the ISO's merchant portfolio, he says.
Having the vendor initiate the contact helps shield the ISO from negative reactions merchants might have to the call, Helgeson says. As far as the merchant is concerned, the vendor-not the ISO-is making contact, he says.
In most cases, however, merchants appreciate the vendor outreach, Helgeson says. "It's even created a little bit of stickiness with our merchants because here we are going above and beyond to protect them," he notes.
Besides helping with inbound and outbound contact with merchants, vendors can track merchants' progress toward PCI compliance and inform ISOs of their status. Some vendors offer computer "dashboards" ISOs can use to monitor their merchants' PCI activities.
Merchant dashboards should contain only basic information, says Security Metrics' Caldwell. "The user interface should be easy to use," he says. "Too much detail is not always good."
ISOs, however, can use dashboard details to manage compliance, says Panoptic's Norris
With Panoptic's dashboard, the ISO begins with a screen divided into quadrants. One quadrant uses a pie chart and line graphs to show the ISO's total number of merchants, the percentage that have completed the PCI process and the percentage that have achieved compliance, Norris says. Another quadrant uses a bar graph to show how far along merchants are in the process, providing the percentages of merchants that have registered, logged in to the self-assessment questionnaire, selected a questionnaire, completed a questionnaire, started remediation, completed a scan that detected no vulnerabilities, and finished the sequence and reached compliance, Norris says.
A third quadrant, called Portfolio Management, enables ISOs to search and filter merchant groups, add or delete merchants, and monitor communications with merchants, she continues. The fourth quadrant, called Reports and Deliverables, helps the ISO deal with reports to Visa, MasterCard Worldwide and Discover Financial Services and provides custom partner reports, Norris says.
"We look at it on a monthly basis," Pacheco says of the dashboard provided by ControlScan.
Indeed, the dashboard provides a lot of insight, Helgeson says of the dashboard Merchant Warehouse uses. "We can spot trends quickly" using the dashboard statistics, he notes.
The dashboard reinforces the simplicity "of choosing a single PCI vendor who can compile all of the merchant data in one place, Helgeson and Pacheco agree.
Using more than one vendor could mean having to visit multiple competing dashboards to gather information about merchants, Pacheco says. "That's crazy," she contends.
Having more than one vendor also could create confusion about who is responsible for services, says Helgeson. "Who's in charge of going back to that merchant and informing him that you've only completed one of the steps? For us, it didn't make any sense at all to use two different companies" for scans and self-assessment questionnaire help, he says.
During a transition to a single vendor, however, some vendors can incorporate data from another vendor into a dashboard, vendors say. The situation arises when an ISO switches vendors or buys a portfolio, they say.
Moreover, the dashboard illustrates the efficiency of choosing a single vendor by showing the interconnection among the elements of PCI compliance, industry insiders say.
Mimic An Attacker
"The bottom line is you need to tie the scan to the [self-assessment questionnaire] and know the merchant's done both," says Helgeson. "If that becomes a manual process, you're creating a lot of work."
Merchants using dial-up terminals that do not connect with the Internet for payment processing stand relatively little chance of experiencing a breach. Thus they do not need to have vendors scan the systems, observers say.
However, when merchants indicate on the self-assessment questionnaire that they make transactions online, they establish the need for scans designed to detect weaknesses hackers could exploit. Several sources tell ISO&Agent that about 20% of small merchants need scans.
Scanning vendors probe the systems from the outside, searching for ways to compromise the system and steal data. In essence, the scanning vendor mimics the behavior of an attacker, says Steve Robb, ControlScan vice president of operations.
Fewer than 25% of merchants pass the scan the first time, says Michael Wright, Panoptic chief technical officer. "Typically, they have several things they've got to remediate," Wright says.
False Positives
And as the vendor searches for a system's vulnerabilities, false positives can occur when the scan finds something suspicious that turns out not to be a problem. Vendors expect a few false positives because they do not want to miss an actual problem. They also acknowledge that merchants and ISOs find false negatives annoying.
A common example of a false positive arises when a merchant is using older, possibly outdated commercial POS software, says ControlScan's Herbig. In such cases, a vendor checks with the merchant to determine whether the software vendor or merchant has applied the proper patches to fix the software's problems and bring it up to date.
If the correct patches are in place, the situation already has been resolved. If not, the merchant has to ensure the appropriate patches are in place, vendors say.
Ferreting out details, such as software patches, takes vendors' personal attention, which ISOs often appreciate.
"They have been very nice to me," Pacheco says of ControlScan emphasizing the importance that trait plays in providing the extra help many ISOs and merchants need with PCI's complexities and ambiguity.
Pacheco admits she sometimes brings up a question to ControlScan she has asked before because the answer still eludes her. "A lot of us don't know a lot about it," she says of PCI.
Merchant Warehouse wanted a vendor that specializes in PCI compliance among Level 3 and 4 merchants, not a qualified security assessor that focuses on Level 1 and 2 security audits and works on compliance as a sideline, Helgeson says. "We didn't get a comfortable feeling from them as to being able to support the product," he says of the unnamed vendor it considered.
Vendors that have just signed a contract with a large processor also failed to make the cut at Merchant Warehouse, Helgeson says. "We didn't think they would have the bandwidth to support us" because of responsibilities to the processor, he says. "Would we be a big customer to them?"
How To Choose
As for the technical side of scanning, however, ISOs do not need to worry too much when choosing a scanning vendor, according to Caldwell of Security Metrics. The PCI Council designates companies as Approved Scanning Vendors, he notes.
"The council does a good job of making sure our scanners can find the vulnerabilities," Caldwell says.
However, vendors mistakenly may choose a scan that is too narrow in scope, Caldwell says. If a merchant's transactions take place on three servers, for example, the vendor has to scan all three, he says.
Vendors also may choose a scan that is too large in scope and thus waste an ISO's or merchant's money, Caldwell adds, offering the example of a university with a well-run program that needs scans only of the four servers involved, not of all its 3,000 Internet Protocol addresses.
To prevent scoping errors, vendors can call merchants directly and discuss the intricacies of their payments-processing systems, Caldwell notes, calling such calls the "human element" in scoping.
Sometimes Caldwell finds such calls necessary to convince a merchant that vulnerabilities exist. He tells of providing one merchant information "hijacked" from its site to prove the existence of a back door to its database.
"The merchants really need that," Caldwell says of such phone calls. "It's an emotional thing for them."
Security Metrics also sends a delegation of about 30 employees to the annual Def Con hackers' convention in Las Vegas, where Caldwell and his staff discover tricks criminals could use to compromise merchants' systems.
In one Def Con event, for example, eight teams spend two days trying to break into each other's systems while defending their own systems. One year a group of Berkeley graduate students won and then shared their techniques with the vendor, Caldwell says.
Relentless effort counts when it comes to vendors, says Pacheco. Vendors can monitor merchants, for example, and remind them that any change they make to an online system brings them out of compliance and requires another round of scanning. Even an omission can derail compliance, Pacheco says.
In a more specific example, a merchant might fire an employee for theft and then forget to change the password for the system, Pacheco says. "Compliance," she notes, "is a moment in time."
But ISOs can seize the moment with the help of the right PCI vendor, she adds. PCI vendors can guide merchants through the self-assessment questionnaire, scan Internet-connected systems for weaknesses and help correct problems revealed by the scanning. The process prevents data breaches, protects against fines and provide merchants with useful services.
