ISOs and agents seldom question the importance of helping their merchants comply with the Payment Card Industry Data Security Standard.
After all, nobody wants a data breach that exposes the personal information of thousands of consumers to fraud, theft and abuse, and the PCI standard is designed to guard against those crimes.
Yet those same ISOs and agents complain bitterly about the self-assessment questionnaires, sometimes called SAQs, which small merchants have to fill out to comply with the PCI standard.
The questions read as though they were written by information-technology “people and lawyers for IT people,” says Eric Cohen, CEO of a Jersey City, N.J.-based ISO called ETC Holdings. For example, “Does the firewall configuration restrict connections between untrusted networks and any system in the cardholder data environment?” is one question in the SAQ for merchants with point-of-sale systems that connect to the Internet but that do not store cardholder data.
And some questions lend themselves to two or even three interpretations, according to Gary Peterson, president of Prospect, Ill.-based Arlington Heights Merchant Banc.
Moreover, a question may not pertain to the merchant filling out the electronic questionnaire, but if the merchant leaves it blank, then the business is failing to comply, says Cohen. In such cases choosing the required answer of “yes” would provide a half-truth, he notes.
Too many merchants “tear their hair out” when the questionnaires are couched in obscure legalistic language, using such words as “herein” and “attestation,” observers say.
Yet despite those complaints, the questionnaires and their language have evolved in response to comments from merchants and ISOs, according to Bob Russo, general manager of the Wakefield, Mass.-based PCI Security Standards Council LLC.
“We continue to update as needed, based on the feedback we get,” Russo says.
Consulting companies that ISOs use to help merchants comply also say the questionnaires have improved with age.
Four years have past since the council introduced the original 70-question questionnaire, back in the days when the industry thought “one size might fit all,” says John Bartholomew, vice president of sales for SecurityMetrics Inc., an Orem, Utah-based security-services company with a PCI focus.
“One size didn’t fit all,” as the industry soon learned, Bartholomew says.
Today, the council offers five different questionnaires with queries ranging in number from 11 to well more than 200, says Russo. ISOs pinpoint the high end at 276 questions.
Merchants that swipe a card on a point-of-sale system and use a phone line for verification face a short questionnaire, while the number of questions grows as the complexity and risk of the business increase, Russo says. This type of POS system is easier to assess because it does not use the Internet to connect to processors.
Risk increases when merchants key in card-not-present transactions online or over the phone, observers say. Risk also can grow when merchants use integrated POS systems that track inventory, purchasing and accounting functions over the Internet, says Bartholomew. Both approaches increase vulnerability to hackers, he notes.
But even with the assortment of questionnaires and the evolution of the language used on the site, small retailers continue to struggle with the questionnaires, says Peterson of Arlington Heights Merchant Banc. He blames the trouble on a failure to understand merchants.
Much of the industry remains “clueless,” he says, living in “ivory towers” far from the day-to-day grind of running a small business.
“The bottom line,” says Cohen of ETC Holdings, “is [many in the industry] do not care about the merchants.”
Some problems arise because of the nature of the entrepreneurs involved, says Peterson.
He characterizes up to 70% of his merchants as “technically challenged” and more concerned about running a shoe store or a carnival than filling out forms. The merchants find the questionnaires’ logic and language arcane, Peterson maintains.
In fact, some merchants log on and complete the steps necessary to establish a password and then erroneously believe they have completed the entire questionnaire when, in fact, they have barely begun, says Peterson.
Many merchants find themselves carving more than two hours out of a busy day to fill out a questionnaire, he continues. One merchant, a professional website developer with some technical background, found the task took the better part of five hours, Peterson says.
Protect The Relationship
And on a brighter note, once a merchant has completed a questionnaire, the requirement to repeat the process annually can become more a matter of maintenance than a struggle, says Joe Zahairis, vice president of business development for World Bankcard Services, a Fairfax, Va.-based wholesale ISO.
Moreover, the future may bring “smart” PCI questionnaires that adjust their questions midstream in response to the answers merchants are giving, says the council’s Russo.