Survey Outlines Compliance Challenge Among Small Merchants

With a freshly revised version of industry rules for payment card data security having just emerged (Digital Transactions News, Oct. 28), further evidence is also surfacing of the compliance challenge acquirers face with the smallest merchants. Indeed, the smaller the business, the less sensitive it is to the possibility of a data breach, and the less likely it is to understand or comply with the Payment Card Industry data-security standard (PCI), according to survey results released on Tuesday by ControlScan Inc., a vendor of compliance solutions, and Merchant Warehouse, an independent sales organization.

This is despite the fact that, news headlines about breaches at big retailers like TJX Cos. Inc. notwithstanding, the overwhelming share of card-data compromises occur at so-called Level 4 merchants, defined by Visa Inc. as those processing fewer than 1 million card transactions a year. In fact, such small businesses account for some 85% of breaches, according to a 2-year-old report from Visa, which tracks PCI compliance and, along with MasterCard Inc. and other card networks, enforces the standard.

Yet Atlanta-based ControlScan and Boston-based Merchant Warehouse found an almost alarming level of nonchalance about data security among small merchants in their survey, which garnered responses from 628 Level 4 businesses. Nearly three-quarters classified their risk of compromise as “low,” while a further 11% said it was “non-existent.” More than half (53%) are not familiar with PCI, or are unsure whether they are. And just half understand that PCI compliance is mandatory. On the positive side, 84% rate data security as a “high” or “medium” priority (e-commerce merchants rate security at a significantly higher priority than do brick-and-mortar merchants). Among respondents, so-called micro-merchants, or businesses with 10 or fewer employees, accounted for 90% of replies.

The survey results are “definitely a little concerning but not shocking,” says Markiyan Malko, compliance officer and program manager at Merchant Warehouse. “Most of them are worried about running their business rather than security. They don’t seem to be that worried about it.” He points out, though, that as Level 1, 2, and 3 merchants become harder to breach, hackers are increasingly targeting the smallest and most vulnerable merchants. And while these businesses in isolation may not perform huge volumes of transactions, collectively they account for a treasure trove of card data. “Hackers have tools, it’s automated and doesn’t take that much time,” Malko says. “It adds up pretty quickly.”

The risk these merchants face can be dire, with the costs of a breach including not just network fines but reimbursement to issuers to reissue cards, litigation expenses, and fees for forensic audits. “I definitely have heard of many merchants getting shut down,” says Malko. “I hear of it every few weeks.”

Both Merchant Warehouse and ControlScan see an opportunity for acquirers and ISOs to educate small merchants about PCI and the risk of data breaches. But they caution that the approach must be a careful one. Acquirers must be mindful of differences among businesses and of their need for concrete help. “The worst thing an ISO can do is charge a PCI fee and not do anything beyond that,” says Heather Foster, vice president of marketing at ControlScan.

Level 4 merchants number more than 5 million and account for more than 99% of all Visa merchants, while generating about one-third of all Visa card volume. But the exact level of PCI compliance among Level 4 businesses is not known, since Visa has left it up to acquirers to monitor compliance efforts among these clients. “Most of what I’ve heard is anecdotal,” says Foster.

All told, the two companies sent surveys to just over 10,000 small businesses. Among the respondents, 30% were physical stores, 22% were online merchants, and the remainder were either multichannel merchants or non-storefront businesses, such as limo services or medical-supply companies.