By Steve Rowen, Partner
2/12/2008
Today’s retailer knows more about how the customer shops than ever before. Small and mid-sized retailers, in particular, are aggressive users of customer data, utilizing this information to create compelling value for products, marketing and promotions that help differentiate themselves from larger competitors. Yet securing this personal information is no easy task
Last week, the Payment Card Industry’s Standards Security Council (PCI SSC) released a highly revised process for small and mid-sized retailers to self-certify their PCI Compliance.
I had the opportunity to interview Bob Russo, the General Manager of the PCI SSC, to find out a bit more of why this change was implemented, and what it really means for small and mid-size retailers.
“We had a tremendous amount of success in 2007,” says Bob, “Electing a board of advisors, training 1500 assessors, introducing the PED (Pin Entry Device) Standard and launching a special interest group program that already has tremendous outreach. What this means for 2008 is a heightened focus on operational issues and efficiency – This year, we’re not just going to train assessors, but merchants as well.”
Bob continues by explaining how the old self assessment questionnaire (SAQ) was overwhelming to some retailers. “For Level 1 merchants, an onsite assessment was – and still is – required. Yet for Level 2 and 3 merchants, the old process for self-assessment was an 11 page document containing some 200 questions. It didn’t really align with the PCI DSS, and had an awful lot of merchants scratching their heads saying, ‘we can’t answer these questions.’ So we took that feedback and completely revised the process.”
He states, “Now, instead of grappling with an 11 page document, the new streamlined process allows merchants to select in advance a questionnaire that best fits their business. Most importantly, we made it flexible for different merchant types – this is not dumbing it down, but listening to merchants and accommodating their individual needs.”
The new SAQ has 4 different options, and works as follows. For those retailers who outsource all of their credit card transactions, they must complete a 20 question SAQ. For those who take imprint only, do not conduct online sales, and who store no card data, a 21 question SAQ must be completed. For merchants who have payment applications connected directly to the internet, the SAQ process includes 38 questions. Finally, the fourth SAQ option is a catch-all for everyone else, and includes a full-blown questionnaire.
Bob also goes on to describe another important feature of the new process: a ride-along guide for “why and how” to help smaller retailers understand why PCI Compliance is so important. “The updated SAQ’s represent a major initiative by the Council to help merchants secure their credit card transactions,” says Russo.
To learn more about the PCI SCC and its revisions to PCI Compliance assessment, RPW readers are invited to attend a free webinar on February 21: Navigating and Understanding the PCI SSC Self Assessment Questionnaire. Additional information and sign-up details are available here.
|
