ISOs and agents seldom question the importance of helping their merchants comply with the Payment Card Industry Data Security Standard.
After all, nobody wants a data breach that exposes the personal information of thousands of consumers to fraud, theft and abuse, and the PCI standard is designed to guard against those crimes.
Yet those same ISOs and agents complain bitterly about the self-assessment questionnaires, sometimes called SAQs, which small merchants have to fill out to comply with the PCI standard.
The questions read as though they were written by information-technology "people and lawyers for IT people," says Eric Cohen, CEO of a Jersey City, N.J.-based ISO called ETC Holdings. For example, "Does the firewall configuration restrict connections between untrusted networks and any system in the cardholder data environment?" is one question in the SAQ for merchants with point-of-sale systems that connect to the Internet, but do not store cardholder data.
And some questions lend themselves to two or even three interpretations, according to Gary Peterson, president of Prospect, Ill.-based Arlington Heights Merchant Banc.
Moreover, a question may not pertain to the merchant filling out the electronic questionnaire, but if he or she leaves it blank, then the business is failing to comply, says Cohen. In such cases choosing the required answer of "yes" would provide a half-truth, he notes.
Too many merchants "tear their hair out" when the questionnaires are couched in obscure legalistic language, using such words as "herein" and "attestation," observers say.
Technical jargon, including such words as "encryption" or "DMZ" even may inspire fear in small merchants, says Theodore Svoronos, vice president for business development and strategic partnerships at Newport Beach, Calif.-based Group ISO Inc.
Frustration with the questionnaires compounds some merchants' already negative feelings about the industry, says Laura Duckworth, merchant services specialist with Springfield, Mo.-based Liberty Bank, which operates an ISO business. Some merchants resent paying interchange when they would prefer to receive cash, and many become annoyed with "strangers" barging in to make a pitch for a competing ISO, Duckworth says.
Yet despite those complaints, the questionnaires and their language have evolved in response to comments from merchants and ISOs, according to Bob Russo, general manager of the Wakefield, Mass.-based PCI Security Standards Council LLC.
"We continue to update as needed, based on the feedback we get," Russo says.
Consulting companies that ISOs use to help merchants comply also say the questionnaires have improved with age.
DAY-TO-DAY GRIND
Four years have past since the council introduced the original 70-question questionnaire, back in the days when the industry thought "one size might fit all," says John Bartholomew, vice president of sales for SecurityMetrics Inc., an Orem, Utah-based security-services company with a PCI focus.
"One size didn't fit all," as the industry soon learned, Bartholomew says.
Today, the council offers five different questionnaires with queries ranging in number from 11 to well more than 200, says Russo. ISOs pinpoint the high end at 276 questions.
Merchants that swipe a card on a point-of-sale system and use a phone line for verification face a short questionnaire, while the number of questions grows as the complexity and risk of the business increase, Russo says. This type of POS system is easier to assess because it does not use the Internet to connect to processors.
Risk increases when merchants key in card-not-present transactions online or over the phone, observers say. Risk also can grow when merchants use integrated POS systems that track inventory, purchasing and accounting functions over the Internet, says Bartholomew. Both approaches increase vulnerability to hackers, he notes.
But even with the assortment of questionnaires and the evolution of the language used on the site, small retailers continue to struggle with the questionnaires, says Peterson of Arlington Heights Merchant Banc. He blames the trouble on a failure to understand merchants.
Much of the industry remains "clueless," he says, living in "ivory towers" far from the day-to-day grind of running a small business.
"The bottom line," says Cohen of ETC. Holdings, "is [many in the industry] do not care about the merchants."
Some problems arise because of the nature of the entrepreneurs involved, says Peterson.
He characterizes up to 70% of his merchants as "technically challenged" and more concerned about running a shoe store or a carnival than filling out forms. The merchants find the questionnaires' logic and language arcane, Peterson maintains.
In fact, some merchants log on and complete the steps necessary to establish a password and then erroneously believe they have completed the entire questionnaire when, in fact, they have barely begun, says Peterson.
Many merchants find themselves carving more than two hours out of a busy day to fill out a questionnaire, he continues. One merchant, a professional website developer with some technical background, found the task took the better part of five hours, Peterson says.
CALL FOR HELP
Merchants engaged in e-commerce tend to grasp the fine points of PCI compliance more readily than their counterparts in brick-and-mortar stores, according to Group ISO's Svoronos.
Peterson directs his merchants to the PCI site to fill out a questionnaire and tells them to contact him if they have problems, he says. When merchants have difficulties, Peterson walks through the questionnaires with them. If Peterson is stumped, he calls the processor for help. If the processor fails to resolve the situation, Peterson calls the PCI Council for help.
One such project resulted in a conference call that included the processor, the council, the merchant and Peterson, using up eight man-hours to complete a questionnaire, he says.
Staff members at Sterling Payment Technologies, a Tampa, Fla.-based ISO and processor, work with merchants on the questionnaires by phone but have occasionally visited local merchant locations personally to assist with the details, says John Miglino, Sterling executive director of marketing.
"Merchants need help and understanding," says Sterling Trotter, ISO-agent relations manager for Group ISO. "It seems difficult for them at first. You have to simplify it for them.
Group ISO is creating Web seminars to help ease the misgivings of merchants facing questionnaires, says Group ISO's Svoronos. "You have to spoon feed it to merchants," he says.
All 26 of Group ISO's headquarters employees have received enough PCI training to help merchants if the need arises, Svoronos says.
Assisting merchants with the questionnaires can help resolve some situations, agrees Liberty Bank's Duckworth, noting ISOs should stop short of filling out the questionnaires for merchants. "We try to explain the unusual language without giving direction on what they should say," she says.
As a bank, Liberty can ask the loan officer for a noncompliant merchant to bring up PCI when discussing other banking business, Duckworth says. Bank staffers also would have the option of directing those merchants to Duckworth herself, she says.
PROTECT THE RELATIONSHIP
And on a brighter note, once a merchant has completed a questionnaire, the requirement to repeat the process annually can become more a matter of maintenance than a struggle, says Joe Zahairis, vice president of business development for World Bankcard Services, a Fairfax, Va.-based wholesale ISO.
Moreover, the future may bring "smart" PCI questionnaires that adjust their questions midstream in response to the answers merchants are giving, says the council's Russo.
That approach already is occurring in other quarters. Consultants offer software tools designed to ask simple questions and then guide the user to the proper questionnaire and help complete it.
The tools, such as TrustKeeper from Trustwave, a Chicago-based compliance-services vendor, populate the questionnaire while sparing merchants from an overly technical encounter with the actual questionnaire, says Doug Klotnia, the company's executive vice president of product and strategy.
When the Trustkeeper questioning indicates a merchant is out of compliance because its systems are too susceptible to hacking, the system suggests ways to comply, Klotnia says. Trustwave also conveys the importance of compliance to merchants.
In fact, Trustwave forms a relationship with merchants, enabled by the ISO, in Klotnia's view. "We don't want to lose the ISO-merchant relationship, he says.
ON THE SAME PAGE
However, some ISOs remain skeptical about security-services vendors. "If you ask three security companies the same question, each has a different answer," says Cohen of ETC. Holdings.
Others say the inconsistencies arise with the card brands' differing approaches. "They need to get on the same page-Visa is slightly different from MasterCard," says Duckworth.
But differences can help the brands avoid the specter of collusion that violate antitrust laws, says Russo.
Moreover, Bartholomew of SecurityMetrics views the PCI standard as the most flexible, sophisticated and easily changed rules ever created for any industry.
His company has pursued security in health care, banking and a number of other fields, but the standards never had the vibrancy, enforcement and capacity for change that he finds in PCI, he says.
"That doesn't mean it's perfect," he says, "but it's the best.
In a time when payment card data is continually targeted by fraudsters with ever-changing tactics, a perfect countermeasure may be one that places adaptability as its top goal.
