Watch this webinar for a look into the SecurityMetrics’ newly updated SAQ merchant portal.
Watch this webinar for a look into the SecurityMetrics’ newly updated SAQ merchant portal.
Jeff Compton (Product Manager) and Jameson Olsen (Product Marketing Manager) will discuss:
This webinar was given on January 26, 2024.
Hello, everyone. Thank you for joining us today. My name is Jameson Olsen. I'm the product marketing manager here at Security Metrics.
As we're drawing closer to the requirement switch date for PCI DSS version four dot o, we wanted to take a chance to show you what we've done to update our product, make sure it's compatible and ready for four dot o, and also show just some of the quality of life user experience updates that we've made, to try to make your SAQ experience as smooth as possible.
We are recording this webinar, so you will get a copy of it sent out to you to review or share with other people on your team. If you have any questions, feel free to submit them, and we will reach out to you, get you the details you need to make sure you understand the process you're about to go through as you prepare for a PCI four dot o SAQ. Today, I'm joined with by Jeff Compton. He is our product manager who's been working in all the details of this four dot o product.
We're excited to show you. Jeff, how are you feeling today? Good. Excited to show this to everybody.
Awesome.
What was the goal or the idea behind the approach that product took when looking at how to update our portal, for four dot o.
Yeah. So one of the things that we know about our small merchants, our level four merchants, is that most of them are small to medium sized businesses, and they're really focused on the day to day operations of their business.
PCI, caring about the security of their business is just a small portion of everything that they do every day. And so we wanted to make the process as simple as possible for them to make the transition to four point o. So we found that the transition to four point o isn't necessarily a pleasant process for many merchants. They, they're gonna have to go and make a few changes to how they do things, how they operate. They're gonna have to go in and answer some new questions that they haven't seen before, and we just wanna wanna make it as simple as possible for them to go through that process.
Yeah. And it sounds like from what I know about our our new and updated portal, it sounds like we've achieved a lot of that. We've made some great strides at just trying to simplify the experience for the merchant.
And and so Jeff's gonna be demonstrating a lot for us today. He's gonna be showing us actually what it looks like and what that experience is going to look like for you as you're doing your SAQ.
So, my first question, Jeff, is what does the experience look like now, from just logging in to starting your SAQ? Is there anything different about that? Like, is it gonna feel familiar, or is it a whole new beast?
Yeah. So it's gonna feel very familiar from what it was before. I'll show you right here. So you drop into the portal. It looks very similar as before. You'll have a to do here that says PCI four point o is now available. Click here to get started.
For our merchants that their acquire allows them to wait until the deadline of March thirty first, we give you the option to either stay on three, two, one or move on to four point o, and you can select whichever option you decide to go with at that point.
And so then by April first, this page will change to only offer four point o. Correct? Right.
So by by then, we'll pull this page out, and you'll just transition right on into four dot o.
Okay. Perfect. If I've already done three dot a three dot two dot one s a q through Security Metrics, will this change the four dot o mean I have to start from scratch and, like, answer every question again?
So what we've done is we've gone through all the questions and we've mapped questions that if you were able to answer affirmatively in previous years, and if nothing has changed in your network, then you can answer affirmatively to the questions that map over. Right here in the demo here, click switch to PCI four point o, and I have this option right here just to say that nothing has changed with how I process cardholder data, but I need to review, their new requirements with four point o. Gotcha.
So in previous years, if you'd selected that, it would have just taken you to the end of the SAQ because the answers would have all been the same. But now it will just show you the new questions that are specific to four dot o.
Right. Exactly. And that's a it leads into, the next point. So we we added a a feature to hide compliant answers because we're mapping over a whole bunch of questions from, what you answered last year. And if you wanna hide those and just focus on the questions that need to be answered this year, you can use that feature.
So they won't even show up, if I've if I've answered them. Right?
Right. Yeah. If you wanna toggle it on, you can go see them. If you need to go change those answers, you can. That's awesome. Right now, you don't have to view those right now.
Sounds really great. Sounds like that that filter will really reduce the amount of additional work, for someone doing four auto if they worked with us in the past. But what I would do wanna know is, one of the more disruptive things in four dot o is SAQA merchants needing to start to do scans.
If they've never done a scan before, what do like, how do we help them know what to do and how to figure that out? You know? Like, that could be pretty intimidating. What do you have for that?
Yeah. It definitely could be really intimidating. And that's a lot of the feedback that we've been getting from our merchants and our acquirers is that their concern is about the SAQA merchants needing to scan. So we did our best to make that transition over to scanning as seamless as possible. You can see here in the demo when you switch over to PCI four point o, this is an SAQA merchant that I have set up right here.
And you click there, click to start my SAQ, And immediately, it pulls up this model here, which asks for your IP address so you can start scanning. So we're just trying to walk each of our merchants through that process, help them understand how to get their scan set up. So that way, there's no questions and they can go through the process easily.
Great.
And then as far as changes specific to four dot o before we get into more of the user experience updates, the the other one we just wanna mention is that with all the policies and procedures documents, Right? Like, we've we have updated those to reflect the changes required with four dot o.
Yeah. Exactly. So we've updated we offer policies and procedures to our merchants.
That's one of the requirements in the SAQ.
And that needs to be updated to reflect the current standard. So we've updated that to reflect PCI four point o.
Additionally to that, here in the portal, that we've actually reordered a few things here in the report section of the SAQ.
We've ordered the SAQ and the AOC right there at the top of, the report section just because that's the report that most people are going to, they're looking for most frequently.
And so it's there, easy for them to find.
Also, we pulled the PDFs of the FAQ right from the PCI Council's website, and we just auto populate that with the information that merchants provide us in the portal.
Now I want then we'll transition to the part I'm actually more excited to talk about. I mean, this is great. We obviously needed to make sure our product is capable of meeting the new standard. But we also just I mean, talk to me about how we we didn't stop at just making sure it was ready for four dot o. Right? Like, we we took this as a chance to kinda reflect on how can we just improve the portal overall. So talk to me a little bit about that.
Yeah. Great question. We'll go let's go into the portal real quick and look at a few things. I already showed you one where you can hide the complaint answers and focus on what needs to be done in the moment. We also have this one page view where if I click this, it shows all of the questions sections one through twelve all on one page in case you wanna have that high level view of the product. The other thing is we improve the navigation.
We now allow the navigation between sections over on this side of the page, and you can see the section names. So it's easy to know if you're in the policy section or in secure systems or which section that you're in at the time. Another feature that we have is we have updated our section intros. So we added some imagery that helps our merchants understand high level what that section is going over, and we have a little description to help help you understand that section a little bit better. The purpose of that is we just want to give you a little snippet of what that section is gonna talk about so you have the context to be able to go in and dive in and answer, learn about the questions as you go throughout your SAQ.
So, like, hopefully, if if I read that brief section intro, I will then understand, like, why am I being asked the questions that I'm being asked in this section. Right.
Yeah. And by no means, you're not gonna be an expert after reading that, but we hope to give you at least some context so that way you're not lost Yeah. As you go throughout the questions.
Okay. Talk to me about, the applicability notes that we've added.
Yeah. So the PCI Council has added applicability notes to the SAQs. And so we decided to add that in the SAQ for reference for the merchants. And you can just see here, I have question eight point three point seven. And we just have this drop down here where you can click on that and see whatever applicability notes were in FAQ from the PCI Council.
So that's contextual info from direct from the PCI Council about that question.
Yep. Okay. Cool.
Another feature I wanna talk about is the the changes we made to the accept cards page. Talk to that. Just talk about that for a little bit.
Yeah. Let me pull up the previous, accept cards page. This is what, the previously looked like in three two one, and we had this page. It's how do you accept cards. And the merchant is supposed to put in information here about, for example, payment gateway, web host, shopping cart, all this information about how they process credit cards. And this is used in the AOC.
A lot of merchants get to this page and they're not even sure what a payment gateway is. They don't know how to find that information about how they process their credit cards, and they often get stuck. We find that we get a lot of support calls, for this page.
So what we found is we actually only need this for the AOC, and a lot of acquirers don't require an AOC.
By reporting through us, we'd report to their bank that they are PCI compliant. And so we just pulled this page out of the SAQ flow completely. So as a merchant completes their SAQ, they don't need to fill out this page. Only if they need to fill out their AOC and submit that for some reason will they need to go through this page. Okay.
So a lot of merchants just won't even have to deal with that anymore. Yep. Sounds great.
The last the last feature I wanna talk about is just, the updates to the AOC and the reporting section, of the a SAQ process.
Yeah. So in the reporting section here, talked a little bit earlier about how we reordered the, different reports here to have the SAQ and AOC at the top since that's the one that most people are looking for, most frequently. The other thing is that to simplify things and just make sure that everything is correct, we pull the SAQ and AOC straight from the PCI Council's website.
And then we fill in information that a merchant has provided us on our on through the portal, and we auto populate that information for them. So we make sure that, that document is accurate and up to date and ready to go. Awesome.
It sounds like we've made a lot of changes. It'd obviously be going too far to say we've made PCI compliance easy, but we've it sounds like we're doing everything we can to try to simplify it and make sure people don't feel stuck or lost, as they go through that process. But that doesn't mean that we've slacked off with our support.
Our support team is already trained on four dot o, best in the industry, really fast pickup times on phone calls. You can use chat if you prefer.
Even though we've done everything we can with our actual software to make sure your portal is intuitive and easy to navigate, anytime you have a question, our support team is there to help you.
We we don't want you getting stuck and feeling lost, so don't hesitate to reach out and let us help you get on your way. Well, Jeff, that all sounds great. We don't need to drag this out any longer. We have shown what we've needed to show, and, hopefully, it's helped anyone who's watching feel a little bit more secure and confident about needing to go into four dot o, whether it's next month or two or not till the end of this year. But, thank you for joining me. You were able to demonstrate this way better than I could have.
And, just a reminder, this is being recorded, and you'll get a copy sent out to you later.
If you've submitted any questions, we will make sure to reach out to you and get you the answers you need.
And as well as that, we have a lot of resources that can help educate you and get you prepped for four auto and your transition into that. We've attached some, here in the webinar itself, and you can find plenty more on our website at security metrics dot com. So thank you for joining us today, and until next time.
.svg)
