Large merchants are achieving compliance by working more closely with their acquiring banks, while the processes that smaller retailers have to go through have been streamlined and simplified.
"The new SAQ tool will go a long way to furthering adoption, especially amongst Level 3 and 4 merchants. It derives from industry feedback," said Bob Russo, general manager of the PCI Council.
While the standard SAQ consists of 11 pages and contained 207 questions, the PCI Council has simplified the process by introducing four different slimmed-down SAQs for different types of smaller merchant. For instance, companies taking card numbers over the internet or by phone will now have only 20 questions to answer.
"Some small merchants have no idea about security, so it helps them understand," said Russo. "207 questions was too much for someone who is running a bike store, for example. All the questions in the new SAQs are explained in depth to show what they mean and why merchants need to answer them. It will make it a lot easier for Level 3 and 4 merchants. This questionnaire along with a quarterly scan is not going to be prohibitive. We expect to see the benefits in the coming months as more people start using the new SAQs."
Russo was in London to attend the Retail Business show, where several speakers outlined their own experiences of dealing with PCI DSS.
For the John Lewis Partnership, a large retailer with 26 department stores, 187 supermarkets and a thriving online presence, the process has been as much about keeping customer confidence as meeting standards. "Brand reputation is very, very important to us. We see PCI as helping maintain our reputation," said Jeff Toogood, project manager in charge of JLP's PCI compliance progamme.
He said the secret to compliance was "honest open communication with your acquirer. The acquirer can represent the merchants' interests to the card schemes, and they can offer useful advice and guidance." He now sends a monthly report to his acquirer outlining progress and any difficulties.
The JLP programme began in mid-2006, starting with a gap analysis and requirements gathering process that have only just completed. Toogood said early iterations of the standard had been unclear and open to interpretation, and the different deadlines demanded by Visa and MasterCard had only added to the confusion. "It didn't help with buy-in from the business. They couldn't see how it would add to the business," he said.
With the appointment of a QSA (Qualified System Assessor), he said he had more confidence in tackling the process of fulfilling all the requirements of PCI DSS.
A relaunch in 2006 emphasised it as a financial project, and won support from the various departments affected. Flybe runs mainly short-haul flights and handles around 2.6 million card transactions a year, making it a Level 2 merchant. Around 70% of bookings come online, while others come through a call centre and ticket desks.
Chris Cooper, Flybe's IT security manager, said they had decided not to use a QSA, but had adopted RSA's Envision product to monitor events on the network and to help with PCI DSS reporting. "We wanted to collect logs and get value from them in tracking traffic, but we didn't want to employ 20 people to monitor screens. Envision does that for us," he said.
Amid the general mood of optimism, one note of warning came from Richard Braganza, a QSA with Verizon Business. His advice was aimed mainly at smaller merchants who are likely to sign up for a managed transaction service to handle credit card data rather than take on the responsibility themselves.
He said that the new PA DSS standard, due to be introduced in mid-2008 to regulate the quality of packaged payment software and systems, could hold some surprises. Software suppliers will have to get their products accredited by platform and version number to be acceptable to the card companies. That means that any new version of the software will have to be accredited once more.
Braganza warned that suppliers were likely to want to pass on any expenses to their customers. "Merchants need to ask the right questions," he said. "Most of the contracts I've looked at so far would allow the supplier to charge extra for every new version."