Mankind’s standard device for remembering, and ultimately accomplishing, tasks at hand may forever be the “to-do list.”
Imagine taking that time-tested cheat sheet and turning it into a technological tool for merchants to protect credit card data and stay on track with Payment Card Industry data security standard compliance.
Imagine no more.
Trustwave has upgraded its cloud-based Trustkeeper PCI Manager software for small merchants to include a “to-do list” that provides a step-by-step process for revealing areas of noncompliance in a payments network and providing options to correct those issues, Doug Klotnia, Trustwave executive vice president, tells PaymentsSource.
The Chicago-based data security and compliance-management provider includes the to-do list feature at no extra cost in its PCI Manager software merchants use to protect customer card data by addressing questions common in PCI-compliance testing and when monitoring progress in attaining compliance.
The Trustkeeper PCI Manager software costs are determined by merchant type and processing methods, ranging from $149 to $229, Klotnia says.
A portion of the software entitled PCI Wizard enables merchants to go through the PCI-certification process, including answering the PCI security-assessment questions to determine their levels of compliance. During that process, the software creates a to-do list based on how the customer answers a question, Klotnia says.
“The Wizard may ask the merchant if he has a data-security process that is routinely followed, while showing the various steps of such a process,” Klotnia explains.
If the merchant’s answer reveals a problem area, or a lack of a security process, the Wizard generates compliance steps broken down in three areas–risk, “solution” and source, Klotnia adds. Depending on how the merchant answers the question, the risk area explains the dangers of lacking policies and procedures or identifies weak areas of a merchant’s policy, Klotnia notes.
The “solution” area offers a policy template the merchant can fill out to create his own policy. The source area provides information about the likely origin of any problems and explains how to fix them, Klotnia adds.
The Wizard provides the direction for the merchant, and the to-do list comes into play as the vehicle to ensure the merchant remains aware and completes the tasks needed to be PCI compliant, Klotnia says. When the merchant completes a task, the to-do list shows a check mark signaling the task is complete.
Before creating the to-do list, merchants may become confused, or forgetful, about which steps to take next for achieving PCI compliance, Klotnia explains.
“You don’t always like to use the word ‘simple’ when referring to complex things like PCI compliance, but we’re happy to use that word in describing how easy it is to use the Wizard to do list in Trustkeeper,” he says.
Smaller, so-called Level 4 merchants are not technically savvy, nor do they have the time to become immersed in the technical aspects of card-data protection, Klotnia says. As such, if an aspect of PCI compliance gets too complex, merchants may either overlook it or forget to address it, he adds.
“One of the risks in data security is the end-user not being thoughtful about PCI compliance,” Klotnia suggests. “We are trying to present a process that is not intimidating and we think the to do list overcomes a lot of apprehension.”
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource that a lack of education about PCI compliance has become a major issue burdening smaller merchants.
“The bad guys know that smaller merchants are becoming a point of susceptibility,” McNelley says. “Our research has shown that even though the breaches don’t result in significant numbers of card data lost, the fraudsters have vastly increased their number of attempts.”
It is just as profitable for a fraudster to “collect small pieces” of card data because those small amounts add up, McNelley suggests. Plus, a breach of data for less than 5,000 cards is far less likely to garner heavy attention from law enforcement, she adds.
Klotnia agrees that increasing merchant awareness about PCI compliance remains the biggest challenge for his company.
“We have to keep trying to get to a place where the merchant looks at PCI compliance with the same importance as having a fire extinguisher for the kitchen in his restaurant,” Klotnia says. “You have to have protection.”
A company such as Trustwave can provide education to merchants, but if they do nothing about it, then they are no better off, Klotnia contends. “They have to have the awareness to take action,” he says.
What do you think about this? Send us your feedback.
