There's a New PCI Tool for SMBs to Protect Data


The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of a helpful new tool for merchants to add to their data security and PCI compliance management arsenal called the Data Security Essentials Evaluation Tool. What does this tool do, and how does it help merchants improve their payment security?

Data security essentials evaluation tool - illustration of merchant working on device to ensure PCI compliance

Creating a safer payment environment

The tool is designed to foster better payment environment awareness and further engage merchants to have a deeper understanding of their own security solutions and how they compare with constantly growing threats. Security and PCI management consultants are even adding this to their own PCI consulting toolbox.

Before looking further at this new resource, it is important to note that the Data Security Essentials (DSE) Evaluation Tool won’t replace the formal Self-Assessment Questionnaire (SAQ) which merchants are required to fill out if they meet certain requirements. However, the new tool will definitely make it easier for the merchant to conduct their initial compliance appraisal.

How does the DSE tool work?

The DSE tool works as follows:

  1. The tool starts with some background information to review, including a guide to safe payments and questions to ask vendors.
  2. Then, the merchant continues to select the type of payment system they currently use. The options are explained visually if merchants need clarification about which type of payment system they should select.
  3. Once the merchant type is identified, the merchant can click through diagrams that review the data security risks, threats and ways to protect credit card data.
  4. Finally, the merchant is prompted to download an evaluation form to use as a checklist to evaluate and simplify their current security practices.

Why is the tool beneficial?

The intention of the tool is all about reducing risk. Another important point to note is that merchants cannot formally submit this form to the PCI SSC - they still must go through their merchant bank and potentially fill out an SAQ or meet the requirements of the merchant bank. According to the tool’s guidance, a merchant must also “contact the appropriate source, such as the acquirer or payment brand, to see if they are eligible to use the DSE Evaluation Tool for validation, and to obtain completion and submission instructions.”

As the rate and impact of data breaches rises, this tool particularly helps to better facilitate a merchant’s understanding of the value of removing customer credit card information from the merchant environment.

While PCI management can require time and resources that business owners already feel they could always use more of, merchants can benefit from tools like these in order to keep their PCI compliance in check and more importantly, their business and customer data safe.

What additional resources are available?

The PCI SSC provides a variety of management guidance and resources, such as the Prioritized Approach to Pursue PCI DSS Compliance document and Security Essential Resources for Small Merchants section. With the addition of the new DSE Evaluation Tool, merchants are further empowered to take data security management into their own hands.

As noted by the PCI SSC, the key to accomplishing this is in the merchant’s payment gateway partner to provide the following:

  • PCI Council-validated P2PE solutions for card-present transactions
  • PCI compliant solutions for outsourced eCommerce and the ability for the merchant to implement a gateway integration with any internally hosted eCommerce system or application for card-not-present transactions
  • Tokenization of the card for future use, such as recurring billing, and transaction handling and management within the merchant environment and systems

If a merchant chooses to protect their customer data with PCI-validated P2PE solutions for card-present transactions and eCommerce, or card-not-present transactions with tokenization, they can remove the sensitive data from their environment. This will greatly reduce the risk of a data breach and reduce the merchant’s annual PCI compliance cost and rigor with simplified annual reporting.

For business owners, understanding the processes for managing PCI compliance can be very complex. However, with the support of resources like the DSE Evaluation Tool and compliance consultants, business owners can develop a better understanding of the importance of data security, take greater responsibility for knowing their own payment environment and make educated decisions that will protect their business and customer data from cybercriminals.