Small merchants are not much more aware of—let alone compliant with—the Payment Card Industry data-security standard (PCI) than they were a year ago, according to a study released this week. Some 53% of small merchants are now at least aware of PCI, a small increase from the 47% a similar survey found in 2010. “Awareness of the PCI DSS is shockingly low” among these merchants, concludes the report, which was co-sponsored by Alpharetta, Ga.-based security-solutions vendor ConrolScan Inc. and Merchant Warehouse, a Boston-based independent sales organization.
PCI compliance among so-called Level 4 merchants (those that process, per year, 1 million or fewer brick-and-mortar Visa transactions or fewer than 20,000 Visa e-commerce transactions) has been a concern for some time. In part this is because these merchants are considered more vulnerable to compromise. And in part it’s because Visa Inc., which tracks compliance with the security standard, doesn’t measure compliance among Level 4 merchants as precisely as it does among larger merchants, so the actual rate at which these merchants are meeting the standard’s requirements is an unknown. Even so, the lack of progress among small merchants since ControlScan and MerchantWarehouse issued their last study a year ago magnifies that concern. “It’s a wakeup call,” says Heather Foster, vice president of marketing at ControlScan. “”There’s still a lot of work to be done.”
Compounding matters is that small merchants remain nonchalant about their chances of sustaining a data breach. Some 83% of surveyed Level 4 merchants rate their risk of a breach as either low or nonexistent. This perception is “misguided,” the report’s sponsors say, citing small merchants’ greater vulnerability compared to larger businesses.
The reason for this false sense of security is that “many think they’re too small f or anybody to care about,” Foster tells Digital Transactions News. Yet breaches among small merchants are on the rise because fraudsters find them to be easier to compromise than larger businesses with more resources to guard data. Small businesses “are worried about making that pizza dough or paying that light bill” rather than installing security technology, says Markiyan Malko, PCI security compliance officer and program manager at MerchantWarehouse.
Foster and Malko add that anywhere from 70% to 80% of small merchants are still using dial-up point-of-sale terminals, which are not connected to the Internet and so may give proprietors a sense of security compared to more advanced, Internet-linked devices. But these merchants are still vulnerable to compromises, they point out. For example, using dial-up terminals “doesn’t mean someone you’ve hired isn’t selling credit card data,” says Malko. Indeed, the report found 18% of respondents named “insiders,” or employees, as a greater security threat than hackers (“outsiders”). The larger the business, the bigger the insider threat becomes as proprietors find they must share more responsibility with persons who aren’t family members or other trusted associates.
There are some positive results in this year’s survey. Some 60% of merchants aware of PCI say the standard is mandatory, up from half in last year’s study. E-commerce merchants (68%) and larger small merchants (82% of those with 51 or more employees) were most likely to regard PCI as mandatory. Also, 57% of merchants aware of PCI say they have validated compliance, up from 47% last year. Among those that have not gone through validation, “don’t understand” is the most frequently cited reason (61%). “This is an unabashed cry for help to the industry,” notes the report.
Malko and Foster say ISOs and merchant processors can help small merchants most by playing an educational and advisory role. Most important, they say, is to address PCI upfront, in the first conversation with a merchant prospect. This not only informs merchants, it avoids unpleasant consequences later on, they say. “It adds friction to the sales cycle,” Malko concedes, but “a merchant seeing [an unexpected] PCI fee on his statement four months later creates a negative customer experience.”
Nor should ISOs leave this “extra step” to third parties, who might call later to discuss PCI and the fee, Malko cautions. Most merchants won’t recognize the caller and so won’t take the call or understand what the caller is talking about, he says.
For this year’s report, entitled, “A Perfect Storm of Complacency,” researchers canvassed Level 4 merchants in August and received responses from 621. Forty-two percent were brick-and-mortar merchants, 15% were e-commerce sellers, and the remainder were multichannel businesses.