As many as 30% of merchants bailed out on their Payment Card Industry data security test because they didn't have time or didn't understand it, ControlScan says. The vendor aims to improve the process by suppressing irrelevant questions and putting the easiest questions first.
The Atlanta-based payment security and compliance software provider today launched SmartSAQ, an updated version of the cloud-based, interactive standard self-assessment questionnaire merchants complete annually for PCI compliance.
SmartSAQ is designed for all merchants, but smaller merchants should benefit from the streamlined test, says Steve Robb, senior vice president of products and services for ControlScan.
Initial versions of the SAQ were "general purpose" and included many questions likely not relevant to certain types of merchants, Robb says. "It was very clear that merchant services providers wanted tools they can customize and configure specific to their business merchants."
The SmartSAQ also allows providers to customize photos and text for a particular merchant.
"They can show a picture of a terminal they know the merchant is using and ask them to confirm they are still using it," Robb says. Such customization eliminates many unnecessary questions about other systems, though the SAQ still asks merchants if they are processing cards in any other way, Robb adds.
Smart SAQ suppresses questions that are not relevant. "If merchants say they don't have wireless in their environment, then they don't have to answer any more of those questions," Robb says.
ControlScan evaluated the list of questions in the SAQ and formatted the new test version to bring easier questions to the forefront.
"We want merchants to gain momentum with the process," Robb says. "If they get closer to the finish line, they are more likely to complete it rather than abandoning it."
SmartSAQ is configured to ask one question per computer screen, with customized "help" text boxes on each page, as well as a navigation scheme in the margin. "If the merchant skips a question, he can easily get back to it later," Robb says.
The system also allows merchants to establish a "to do" list they can refer to when needing to accomplish certain tasks to meet PCI compliance.
Processors and security vendors have been seeking ways to streamline the self-assessment process for the past few years.
First Data Corp. released a similar product last year called the PCI Rapid Comply system, an online program that automates much of the questionnaire.
Independent sales organizations, acquirers and other merchant services providers will be able to put their brand on the SmartSAQ and set up the portal on their websites to provide merchant clients access to the annual test. Or, they can set up a link that goes directly to the ControlScan site for the test, Robb says.
Merchants using the SmartSAQ during pilot testing of the product indicated they saved up to 30% to 40% of the time they previously spent completing the test, Robb says.