A number of MSPs offer Payment Card Industry compliance services, but the going hasn’t been easy. Last year, reports depicted retailers struggling to meet the PCI Data Security Standard and, in some cases, lacking even basic knowledge of the standard. A Verizon study noted that close to 80 percent of the companies it surveyed fell short of meeting the standard. The report pointed to several PCI problems, noting that retailers have difficulty finding the time and the resources to perform the required vulnerability scans. A ControlScan and Merchant Warehouse survey, meanwhile, found that nearly half of the small merchants it polled were either “unsure” of the PCI benchmark or completely unfamiliar with the standard.

MSPs can help build PCI awareness among their customers, but there’s still the issue of regularly testing systems and processes --- part of an ongoing compliance program.

The service providers active in the PCI field typically offer vulnerability scanning services. But Tenzing Managed IT Services this month launched a service that aims to shrink a retailer’s overall compliance burden, not just the scanning component.

Here’s how it works: The service, dubbed PCI Assure, transfers a retailer’s customer credit card information to a Tenzing data vault for storage. PCI Assure uses IFRAME technology to capture the credit card and card verification value (CVV) fields on a retailer’s check out page -- the other fields stay on the retailer’s website. When the credit card data is stored, a token is created to represent the credit card and sent to the merchant. The merchant uses the token to reference the credit card Tenzing has stored.

“When [end customers] enter their information, the information doesn’t touch the merchant’s environment,” said Andy Ramsey, product manager at Tenzing. “The information goes directly into the PCI Assure data vault.”

Since the retailer doesn’t end up handling credit card data, its compliances duties become a lot less onerous. Ramsey said retailers need only compete a SAQ Type A form. That particular form is designed for merchants who rely wholly on third-party providers and don’t transmit or store card data.

Tenzing is focusing its PCI service primarily on mid-market e-commerce companies, according to Ramsey. He said the company has been working closely with e-commerce platform ISVs -- such as Oracle’s ATG -- to develop hosting solutions for their mid-market customers.

Selling Points

Tenzing’s service takes on much of the retailer’s PCI compliance burden. And while that may drive customers the MSP’s way, Ramsey pointed out that retailers have a number of options for offloading credit card data. He said among the more popular methods is to use a hosted payment page. In this approach, customers placing orders on a merchant’s website are redirected to a page hosted by a third-party when they enter credit card information.

The hosted payment page deals with the data issue, but leaves the merchant with limited customization. Ramsey said merchants can customize the header and footer on that page, “but it doesn’t have the same feel as the website.”

In addition, the hosted payment page adds another step in the end customer’s purchasing process, he said.

So the key source of customer value, according to Ramsey, becomes flexibility.

“They maintain complete control over the check out process,” he said. “This gives them the flexibility to customize the checkout page as they see fit.”

Tenzing’s case demonstrates how service offerings can evolve over time. In 2010,

Tenzing integrated Alert Logic’s intrusion detection services and tapped the company’s scanning capability to offer PCI vulnerability assessments. Today, Tenzing primarily uses Alert Logic as an intrusion detection service, Ramsey noted.

But that sort of change is not necessarily news to the MSP segment, which has grown accustomed to developing new services and reinventing business models.