Level 4: The small-merchant PCI challenge

While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve small merchants - defined as Level 4 by the Payment Card Industry (PCI) Data Security Standard (DSS). More than 6 million small merchants are doing business in North America; fewer than 5 percent have attested to compliance with the PCI DSS.

By Joan E. Herbig

These are potentially costly statistics for acquirers, who ultimately shoulder the monetary burden should their merchants experience breaches.

Beyond their abundance, Level 4 merchants carry unique challenges. Acquirers can reduce their overall risk and dramatically improve compliance rates among these merchants by overcoming four often-overlooked pitfalls when designing their PCI compliance programs.

Challenge 1: Little awareness of security

Small merchants are focused on making ends meet. They have little awareness of - or time to focus on - security best practices. The few who have heard of PCI compliance typically don't know the standard applies to them. They assume PCI compliance is only for the "big guys" or e-commerce merchants.

Those who realize PCI compliance does apply to them often approach it as a perfunctory process. The benefits of better security often aren't clear to them, and they don't realize breaches could be catastrophic for their businesses.

Acquirers are required to develop a plan to address and educate small merchants about the PCI DSS. The PCI Security Standards Council (SSC) provides basic air cover, but acquirers that take a proactive, targeted approach to engage Level 4 merchants with a variety of educational materials and tactics will become valuable partners to their merchants and gain a competitive advantage.

Education should be a significant component of any acquirer's comprehensive merchant outreach strategy to drive PCI compliance. Examples of helpful educational tools for small merchants include:

  • FAQs tailored to Level 4 merchants
  • PCI DSS basics
  • Tools to help merchants determine their PCI Self-Assessment Validation category and whether they require quarterly scans
  • Overview of the risks merchants face if they are not PCI compliant
Additionally, acquirers should advise small merchants against storing credit card data without a compelling business reason for doing so, and direct them to use Payment Application DSS-compliant applications. That way, small merchants will experience a simpler path to PCI compliance and reduce their risk of data compromise.

Challenge 2: Lack of technical expertise

Most small merchants have few or no technical staffers to manage the PCI compliance process. All of them are required to complete Self Assessment Questionnaires (SAQs) annually and maintain compliance throughout the year. Many have problems answering basic questions in the SAQ because the language is often aimed at technical users.

Questions like the following frequently arise:

  • What validation type am I?
  • What is a payment application?
  • What is encrypted data?
  • What is a firewall?
How do I know if I'm storing prohibited card data?
Level 4 merchants typically have no idea how credit card data flows through their businesses, and most don't have security awareness programs to educate employees on best practices for ensuring the security of cardholder information. Thus, they are highly reliant on outside parties, including their acquirers or POS equipment vendors, and often receive conflicting advice.

Acquirers can help reduce confusion by providing small merchants with guidelines to answer SAQ questions that are specific to each merchant's environment. This makes it easier to complete the SAQ and improves the quality of responses. Acquirers may also want to consider providing security awareness training, in everyday language, to provide fundamental information small merchants need to guard against data compromises.

Going forward, acquirers may want to establish processes for obtaining sufficient information about their merchants' environments that will enable them to answer certain questions, such as what payment application a given merchant uses. This data could be pre-entered in an online SAQ to make the process easier and less frustrating for the merchant.

Challenge 3: Diverse merchant environments

Small merchants often need multiple touch points to become knowledgeable and engaged in the PCI compliance process. Retailers lacking computer or e-mail access present acquirers with challenges regarding how to fully track and convey compliance rates for their small merchant portfolios.

Acquirers must be prepared to provide paper versions of the SAQ to merchants without online access. Moreover, acquirers should develop a content management and reporting strategy for these one-off measures. This will ensure they maintain a holistic view of compliance for their merchant portfolios.

Acquirer portfolios frequently consist of large concentrations of non-English speaking merchants, which compounds the difficulty of the entire compliance process. While the PCI SSC provides the SAQ in English and six other languages, acquirers still face the issue of providing training and technical support to help merchants answer the questions effectively. Acquirers will need to formulate plans to provide the SAQ and support for completing the SAQ in multiple languages.

Challenge 4: Web site vulnerabilities

Small merchants with externally facing Internet Protocols (IPs) must complete quarterly vulnerability scans (SAQ Validation types 4 and 5) to comply with the PCI DSS. Small merchants face unique challenges in complying with this requirement.

Before scanning even begins, small merchants typically ask basic questions, including:

  • What is an externally facing IP?
  • What do I need to scan?
  • How do I find my firewall password?
  • Do I need to scan my POS system that is connected to the Internet?

Most vulnerabilities found in small merchant scanning results require assistance from outside vendors to remediate. For example, dangerous structured query language injection and cross-site scripting vulnerabilities require a programmer to remediate; however, most merchants don't have a programmer in-house and are often not sure whom to commission.

The merchant's host also plays a role in remediating vulnerabilities, and while there are many cooperative hosts, some are not willing to make the changes required to bring the merchant into compliance.

Changes to consider

Developing and implementing a successful Level 4 compliance program is not easy, but acquirers that take the time to develop a plan that anticipates the unique challenges their small merchants face upfront will increase the likelihood of realizing much higher compliance rates and less merchant frustration.

Acquirers that don't have the time and resources to dedicate to comprehensive PCI compliance should consider partnering with a company that specializes in PCI compliance for small merchants.

Different deployment options exist, ranging from full outsourcing to a hybrid model, where an acquirer's support team is trained to handle some aspects of support. This helps ensure the acquirer is equipped with knowledge to answer basic technical questions that often stall merchants early in the PCI compliance process.

Security is becoming increasingly multilayered and complex, so even those with expertise have difficulty configuring security tools correctly. Acquirers managing a PCI compliance program should be prepared to "get in the trenches" to effectively support their merchants.

Whether managed in-house or externally though a third-party, a well-executed PCI program helps acquirers reduce risk and provides an opportunity for them to take a leadership position and establish stronger relationships with their merchants.

Joan Herbig is Chief Executive Officer of ControlScan. She has more than 20 years' experience in the high-tech world and serves on the Electronic Transactions Association's Risk and Fraud committee. Contact her at [email protected] or 800-825-3301.

Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…

Related Ring Sites:
  GoKIS  |   ThinClient.org  |   keefner.com  |   Visi Kiosk site  |   KIOSK  |   Kis-kiosk.com  |
Resource Sites:
  Elo TouchSystems  |   Acire Inc.  |   Nextep  |   TIO Networks  |   Olea  |   Self-Service Networks  |   Meridian Kiosks  |   Provisio  |   Kioware  |
  Selling Machine Partners  |   Source Technologies  |   Seepoint  |   5Point  |   Nanonation  |   Netkey  |   KioskCom  |   Summit Research  |   NCR  |