A data-security provider is turning the time-tested “to-do list” into a technological tool merchants may use to protect credit card data and stay on track with Payment Card Industry data security standard compliance.
Chicago-based Trustwave has upgraded its cloud-based Trustkeeper PCI Manager software for small merchants to include a “to-do list” that provides a step-by-step process for revealing areas of noncompliance in a payments network and providing options to correct those issues, Doug Klotnia, Trustwave executive vice president, tells ISO&Agent Weekly.
The company includes the to-do list feature at no extra cost in its PCI Manager software, which merchants use to protect customer card data by addressing questions common in PCI-compliance testing and when monitoring progress in attaining compliance.
The Trustkeeper PCI Manager software costs are determined by merchant type and processing methods, ranging from $149 to $229, Klotnia says.
A portion of the software called PCI Wizard enables merchants to work on the PCI-certification process, including answering the PCI security-assessment questions to determine their levels of compliance. During that process, the software creates a to-do list based on how the customer answers questions, Klotnia says.
“The Wizard may ask the merchant if he has a data-security process that is routinely followed, while showing the various steps of such a process,” Klotnia says.
If the merchant’s answer reveals a problem area, or a lack of a security process, the Wizard generates compliance steps broken down in three areas–risk, “solution” and source, Klotnia notes. Depending on how the merchant answers the question, the risk area explains the dangers of not having policies and procedures or identifies weak areas of a merchant’s policy, Klotnia notes.
The “solution” area offers a policy template the merchant can fill out to create a policy. The source area provides information about the likely origin of any problems and explains how to fix them, Klotnia adds.
The Wizard provides the direction for the merchant, and the to-do list comes into play as the vehicle to ensure the merchant remains aware and completes the tasks needed to be PCI compliant, Klotnia says. When the merchant completes a task, the to-do list shows a check mark signaling the task is complete.
Before creating the to-do list, merchants may become confused, or forgetful, about which steps to take next for achieving PCI compliance, Klotnia explains.
“You don’t always like to use the word ‘simple’ when referring to complex things like PCI compliance, but we’re happy to use that word in describing how easy it is to use the Wizard to do list in Trustkeeper,” he says.
Smaller, so-called Level 4 merchants are not necessarily technically savvy, nor do they have the time to become immersed in the technical aspects of card-data protection, Klotnia says. If an aspect of PCI compliance becomes too complex, merchants may either overlook it or forget to address it, he adds.
“One of the risks in data security is the end-user not being thoughtful about PCI compliance,” Klotnia suggests. “We are trying to present a process that is not intimidating and we think the to-do list overcomes a lot of apprehension.”
Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells ISO&Agent Weekly that a lack of understanding of PCI compliance has become a major issue burdening smaller merchants.
“The bad guys know that smaller merchants are becoming a point of susceptibility,” McNelley says. “Our research has shown that even though the breaches don’t result in significant numbers of card data lost, the fraudsters have vastly increased their number of attempts.”
Criminals can steal significant amounts of money in small increments over time, McNelley suggests. Plus, a breach of data for fewer than 5,000 cards attracts far less attention from law enforcement than would bigger thefts, she adds.
Klotnia agrees that increasing merchant awareness of PCI remains the biggest challenge for his company.
“We have to keep trying to get to a place where the merchant looks at PCI compliance with the same importance as having a fire extinguisher for the kitchen in his restaurant,” Klotnia says. “You have to have protection.”
A company such as Trustwave can teach merchants about complying with PCI, but if the merchants do not take action then they are no better off, Klotnia observes. “They have to have the awareness to take action,” he says.