Digital Transactions Authoritative, insightful and timely information for payments professionals
Despite widespread efforts to educate small merchants about the Payment Card Industry data-security standards (PCI DSS), a large majority still don't understand fully the complex requirements, according to a study released today by the National Retail Federation, ControlScan and the PCI Knowledge Base. The survey of 220 so-called Level 4 merchants found that 86% feel “somewhat” or “very familiar” with the PCI DSS, and that 88% felt that data security is a “high” or “medium” priority. But of the merchants surveyed, 29% said they had not validated PCI compliance and 9% said they were unsure whether they were compliant. Of those that hadn't completed compliance, 44% said they were working on it, 26% said they didn't have the financial or technical resources, 19% said they didn't understand the PCI DSS, and 5% said it's too hard. The survey also found that small merchants that have never been breached may have an unrealistic expectation of their security. Seventy-two percent of the merchants said they believed the risk their company faces from a data compromise is “low” or “not possible.” In contrast, of merchants that have been breached, 67% considered the risk from a data compromise to be “high” or “medium.” “Small merchants often do not understand the severe consequences of a data breach and are understandably overwhelmed with the intricacies of becoming compliant in the first place,” NRF chief information officer David Hogan said in a statement. “Until industry service providers and the PCI Security Standards Council make compliance easier to understand and less complex to implement, many small merchants will likely continue to be frustrated and bewildered, causing some of them to abandoned the idea of compliance altogether.” The PCI Security Standards Council, which oversees administration of the PCI DSS, released this statement from Troy Leach, technical director at the council: “The survey findings…illustrate that there is a need for a tailored approach to meeting the education requirements of small merchants. To address this, the [council] is consulting with the acquirer community with [small-business] portfolios, ISOs, and small merchants themselves to create resources that help these entities secure their own cardholder data environment.” Other findings of the survey include: –80% of merchants said that PCI compliance makes them “much more” or a “little more” secure, while 20% said compliance doesn't improve their security. –70% of merchants said PCI compliance is mandatory and 15% said it was optional, while 15% said “neither” or were unsure (it is mandatory). –78% of merchants said PCI standards should apply to their business, while 22% said it shouldn't apply. Of 182 merchants that responded to a question on how much they spend on PCI compliance, 31% spent between $1 to $500; 29%, between $501 and $5,000; 10%, between $5,001 and $20,000; 8%, and more than $20,000. Ten percent said they spent nothing and 12% said they were unsure. While many small merchants may be confused about PCI DSS, the survey revealed they at least are more aware of the standard, said David Taylor, founder of the PCI Knowledge Base, an independent research community focused on payment security. “A year ago, there was little to no awareness of PCI compliance among small merchants,” he said in a statement. “Now, the picture has changed, probably because many organizations, such as acquirers and independent sales organizations, are now making validation of compliance mandatory and in some cases imposing monthly fines for merchants that fail to prove they are PCI compliant.” Merchants participating in the survey, conducted online in July, were randomly selected from the databases of ControlScan, a provider of PCI compliance and security solutions; NRF; and the PCI Knowledge Base. The survey included e-commerce, retail store and mail order/telephone order merchants. Of the merchants, 48% process fewer than 100,000 credit or debit card transactions annually and for 89%, the average sale was between $10 and $100. By card-network definition, Level 4 merchants are those that process fewer than 1 million card transactions annually overall or fewer than 20,000 e-commerce transactions.
