There’s a problem with the PCI Data Security Standard (PCI DSS). As many acquirers know only too well, compliance rates among merchants are falling. In 2019, fewer than 28% of global organizations achieved 100% compliance during their interim compliance validation, according to Verizon. That’s a decline of nearly 9% from the year before. A big part of the problem lies with the PCI Self-Assessment Questionnaire (SAQ). Although designed to be easier for smaller merchants to manage, in practice the opposite is true. This is bad for merchants, and for Merchant Service Providers (MSPs) who want to encourage best practice risk management.
To help improve compliance rates and ensure merchants put stronger cyber security measures in place, MSPs need to make SAQs easier to digest. That means adopting smarter, more context-aware approaches for seamless interaction.
SAQs are a self-validation tool for smaller merchants. On paper, the yes/no answer format would seem to offer less resourced businesses an easier template for assessing their compliance posture against each PCI DSS requirement. However, even this can be extremely challenging for business-owners who are not technical experts — which is most small business owners.
Most MSP PCI portals do little to simplify this process. In fact, they’re often guilty of doing little more than replicating the paper form digitally. The result? At best, the merchant erroneously ticks all the boxes as “Yes.” At worst, they do nothing. Too often merchants treat SAQ admin and non-compliance charges from their MSPs as a cost of doing business. Risk remains unmanaged. Breaches continue.
It doesn’t have to be like this. The irony is that PCI DSS is a very good security standard for the protection of card data. The controls it recommends are well thought-out and, if followed correctly, will dramatically reduce a merchant’s risk exposure. It has also evolved over the years to reflect the changing threat landscape and maturing security and payment technologies used by organizations. But this evolution has created more complexity. Back when it launched in 2006 there was one version of the standard with one SAQ. Today there are 15 versions with nine different SAQs depending on merchant type.
So, is the PCI DSS SAQ fit-for-purpose? Well, the controls it suggests absolutely are still valid. But the way this information is presented to merchants requires a rethink. MSPs must grasp the opportunity to differentiate here. If you know your merchants well enough individually then you’ll know that their answers to some of the questions will make others irrelevant. It’s all about context and personalization — using merchant data to streamline an important compliance process and enhance their risk management.
As an MSP, you will know a fair amount about each merchant, even at the point of onboarding. You’ll have: merchant name; Merchant ID; Merchant Category Code (MCC); what type of channels they use (e-commerce, face-to-face, etc); what type of payment facilities they have; merchant level (tied to transaction volume) and much more. Why not use this information to pre-populate these answers into the relevant part of the SAQ? It will save the merchant time and reduce the chances of human error.
Also, consider the following to streamline the SAQ process:
This is ultimately all about investing in more intelligent portal systems to personalize the SAQ experience. If done successfully it will help to enhance compliance and reduce risk across your portfolio. PCI DSS has moved with the times. Now it’s the turn of the MSP community.
The legacy snapshot of a PCI DSS SAQ will not provide the kind of continuous insight MSPs need. Instead, automated, contextualized risk assessments at scale are required.
This guest blog outlines some tips for maintaining the cyber security of your business.