Digital Transactions Authoritative, insightful and timely information for payments professionals
Coming on the heels of the release last week by the PCI Security Standards Council of a revised Payment Card Industry data-security standard (PCI) is a report Tuesday that shows how much progress small merchants are making in locking down card data—and how painfully slow much of that progress has been.
Independent sales organizations and other acquirers can speed things up by helping distracted business owners with compliance, the report adds.
Some 70% of so-called Level 4 merchants have completed an annual validation of their compliance with PCI, up dramatically from 50% a year ago, according to the report, which was published jointly by security-technology vendor ControlScan Inc., Atlanta, and Boston-based merchant processor Merchant Warehouse Inc. Sixty-nine percent say they are now somewhat or very familiar with PCI, a big jump from 54% in last year’s survey.
Despite this progress, however, many small merchants remain unconvinced they are vulnerable to breaches, pay far too little attention to security, and regard PCI simply as a cost item, according to the report. “They look at it purely as a cost, as another line item,” says Jenn Reichenbacher, senior director of corporate marketing at Merchant Warehouse.
Level 4 merchants are those that process 1 million or fewer face-to-face card transactions or fewer than 20,000 online card transactions each year. Both companies dipped into their small-merchant lists to come up with a random selection of Level 4 prospects for this fifth annual survey, which was fielded in September and to which some 615 responded.
Small-merchant vulnerability to card-data breaches is a rising concern because hackers target these businesses on the theory that they are less likely to have protected their data. Some 95% of all credit card data breaches, in fact, involve customers of small businesses, according to Visa Inc. data cited by Merchant Warehouse.
Yet 71% of small merchants see themselves as at little to no risk of a compromise, according to the latest survey. That’s down from 79% last year and 82% in 2011, but still much too high, say Reichenbacher and Heather Foster, vice president of marketing at ControlScan. “They just don’t think they’re big enough to be targeted,” says Foster. Given the reality that criminals target small merchants, the percentages should be “inverted,” says Reichenbacher, with 71% seeing themselves at risk.
The risk is especially poignant for those businesses that go unprotected and sustain a data breach. Just 5% of respondents said they had suffered a breach, but of these victims, half said the impact had been either “medium” or “high,” with “high” meaning the compromise had nearly forced them to close. The consequences were most dire for businesses with 11 to 50 employees.
Yet most small merchants spend little time or money on PCI compliance. Fifty-six percent of respondents said they had spent $500 or less on compliance in the previous 12 months, with 17% reporting they had spent nothing. Almost half—48%—report spending eight hours or less on PCI in that time. The most common compliance tactic is “completing paperwork,” rather than buying new technology, doing system scanning, or upgrading terminals or Web carts.
Even that seemingly sterling 70% validation rate plunges to 40% when all 615 responses are counted, not just the ones that answered the question, according to the report.
Both Reichenbacher and Foster say ISOs and processors can do much to help businesses understand their risk and manage PCI compliance. Taking steps to comply with the 8-year-old standard is hard for merchants that don’t have personnel to spare, both executives say. But third parties can only do so much. Vigilance, they say, must come from the merchant. “We can give them the toolkit, but the challenge is if you’re not walking the walk and talking the talk, you’re not doing [PCI compliance],” says Reichenbacher. “We can’t be there as they’re running their businesses. There’s a point where we can’t do it for them.”
Still, the new PCI 3.0 released last week may help push small merchants to take compliance more seriously, Foster argues. For example, the update requires periodic checks of point-of-sale terminals to make sure they haven’t been tampered with. Steps like that could cut down on the “check-box” mentality that leads small merchants to brush off compliance with a once-a-year check-off of requirements. “The [PCI] Council is really trying to address that,” says Foster.
Of the survey respondents, 43% were physical merchants, 20% were e-commerce sellers, and 37% fell into the mail-order/telephone-order or “other” category. Some 82% had been in business for more than five years.
