PCI Data Security Essentials: The “PCI Shortcut” Small Merchants Have Been Waiting For

October 4, 2018 • Published Categories Acquirer Programs Tags , ,

If you’ve got a portfolio of small merchants, you know their greatest desire is to find the quickest and easiest way to satisfy PCI compliance requirements—a PCI shortcut, if you will. Well look no further, because the PCI Security Standards Council has released a new set of tools designed especially for the small businesses you serve.

The DSE Toolkit is Here

As a member of the PCI Council’s Small Merchant Taskforce, I’m happy to say that the fruits of our labor have finally come forth in the Data Security Essentials (DSE) toolkit. Why did it take so long? While it’s true that small merchants accept fewer credit card payments than the bigger guys, a growing range of acceptance methods coupled with a lack of in-house technical expertise make addressing their security posture quite complex.

First, we had to consider that this wasn’t truly about PCI compliance—it was about tightening the small business’s cybersecurity posture. With that in mind, we set out build a PCI compliance validation tool that made it easier for small merchants to determine which questionnaire they needed to complete; used simpler terminology; presented fewer, higher-impact requirements; and provided very targeted resources to help small merchants understand and reduce risk.

The Taskforce released its first set of small-business cybersecurity resources in July 2016. Since that time, we have worked to further clarify and simplify the security and compliance process for small businesses. In August 2018, we released an enhanced version of our earlier creation, along with an all-new evaluation tool. This new solution set provides the PCI shortcut small businesses have been looking for, along with an important educational component to help them achieve a strong cybersecurity posture.

It All Starts with the Questionnaire

Most small merchants take one look at the PCI Self-Assessment Questionnaire (SAQ) and run screaming. The technical nature of the questions—and even the very process of selecting the correct questionnaire—can be overwhelming. Unfortunately, the SAQ is the merchant’s baseline for guiding them toward a secure environment, so completing it is not something to be avoided.

The DSE Questionnaires focus on changes merchants can make that will have the highest impact on their payment security posture. The Questionnaires operate in a similar fashion to the traditional PCI SAQs; however, the merchant sees considerably fewer questions while being presented with additional, relevant answer options. The merchant also sees considerably more educational material, which helps them understand their risks and how to reduce them.

The following chart shows how the new DSE Questionnaires map to the PCI SAQs. Notice the significant decrease in requirements between each DSE type and its SAQ counterpart. Also, there are no Questionnaire Types 8 and 11, because they refer to processing methods that cannot use the DSE to validate.

PCI Shortcut: DSE Questionnaires

When a merchant completes the DSE Questionnaire, they are considered PCI compliant. Keep in mind, however, that this Questionnaire is only available to merchants who are approved by their Merchant Bank to use the DSE to validate compliance. Plus, the merchant may still be obligated to pass regular ASV scans.

Increased participation and success with PCI compliance translates to reduced portfolio risk for ISOs and acquirers. Payment facilitators will realize these same benefits when they enroll sub-merchants in a PCI program that incorporates DSE.

Get Your Small Merchants Compliant with DSE

The DSE Questionnaires are available now, so you can give your small merchants the PCI shortcut they’re craving. ControlScan offers DSE via our SecureEdge platform and other PCI compliance vendors are beginning to integrate it as well.

Have questions? Give us a call at 800-825-3301, ext. 2, or visit https://www.controlscan.com/partner-program/.