For small merchants, the annual compliance questionnaire for the Payment Card Industry Data Security Standard was meant to be a straightforward way to validate their approach to security. But over the years, the questionnaire has become increasingly complex.
First Data Corp. hopes to make the process simple again for its small- and mid-size merchants in claiming to be the first payments processor to offer an online program that automates much of the questionnaire.
Its PCI Rapid Comply system, announced June 26, steers merchants through the annual self-assessment questionnaire and scans for potential vulnerabilities in payment systems. U.S. clients of Atlanta-based First Data have been using Rapid Comply since June 1.
"We needed a Turbo Tax-like product to walk them through the testing," says Tim Horton, vice president of merchant product management and security services for First Data.
Merchants can use Rapid Comply to first answer a set of questions related to the self-assessment that will direct them to the proper questionnaire, Horton says.
When the proper questionnaire comes up on the merchant's computer screen, First Data will have already supplied answers to many of the technology questions, he adds.
"We know what type of terminals they have and what type of connectivity they have," Horton says. "We also know the products and services they are using from First Data, so we can answer many questions for them."
Because merchants may not understand some of the wording in the questions, Rapid Comply highlights those areas for the merchant to click for links to definitions and compliance advice, Horton says.
For more complex issues, Rapid Comply includes a chat room for merchants to speak to a First Data representative, who can provide answers or clarifications.
Rapid Comply also reminds the merchants to sign their completed questionnaires. It may seem like a basic task, but "the merchant is not compliant if he hasn't signed the document," Horton notes.
Independent sales organizations can sign up for Rapid Comply service through First Data. They can then sell it to merchants with their own brand name, Horton said.
Merchants using Rapid Comply will complete their assessments in less than half of the time they previously spent, Horton says.
The type of help merchants needed in the past amounted to "buying a new car and having a tow truck follow you around to help with any problems," Horton says.
Susan Matt, CEO of ThoughtKey Inc., an Atlanta-based PCI consulting firm, says many security vendors and processors outsource similar products to ISOs to help merchants navigate the PCI landscape.
"First Data used a product from SecurityMetrix before building their own model," Matt says. "I think the product is a necessity because PCI compliance can be very confusing and very complex."
Online portals such as Rapid Comply streamline the compliance process and help educate merchants about PCI while keeping them up to date about new standards, she adds.
Mark Horwedel, CEO of the Merchant Advisory Group, says PCI assessments have become "one of the more salient symptoms of a business that has become unnecessarily complex."
However, he claims "there is little doubt that small- and mid-size merchants are particularly dumbfounded by all of the PCI requirements, which leaves ample room for middlemen to assist them in assuring compliance."
Horton says First Data will likely expand Rapid Comply to global clients in the future, as well as possibly sell it to non-First Data merchants.
