Security: Small Fry, Meet PCI

Many small merchants have never heard of the Payment Card Industry data-security standard, let alone taken steps to comply with its rules. That’s a big problem that acquirers are in the best position to fix.

By Lauri Giesen

The formation of the PCI Security Standards Council and the related security standards it has established has certainly has gone a long way in getting large retailers to think about and implement more secure systems for protecting customers’ credit card information.

But the same may not be true of smaller retailers.

A recent study found that only a little over half of retailers in the Level 4 merchant category, those that annually process 1 million or fewer Visa transactions in brick-and-mortar stores or few than 20,000 Visa e-commerce transactions, were even aware of PCI.

Additionally, about 83% of merchants in that category were confident that violations could never happen to them. That study, in which some 621 Level 4 merchants participated, was co-sponsored by Alpharetta, Ga.-based ControlScan Inc., a security-software provider, and Merchant Warehouse, a Boston-based independent sales organization. ControlScan later surveyed more than 100 acquirers about small-merchant compliance in a study cosponsored by the Merchant Acquirers’ Committee (MAC).

The reasons for the complacency and lack of awareness about PCI vary. Unlike large retail chains, which often have IT experts who are trained in payment-security issues, most small retailers do not have the internal staff to study security issues and implement solutions.

Also, they are often not properly educated about security issues and are not given the appropriate solutions from the merchant acquirers and ISOs that provide them with payment services. Also, while Visa has fined some large retail chains that are not PCI-compliant, thus far, such stern measures generally have not been extended to smaller retailers.

“Visa has concentrated on getting levels 1, 2, and 3 compliant and is fining retailers that are not in compliance. But your stereotypical Mom-and-Pop retailer thought it couldn’t be fined, and as a result, a lot of the smaller retailers are unprepared. There has not been a monetary push in terms of their liability,” says Matthew Hoffman, chief executive of Panoptic Security Inc., a Salt Lake City-based PCI-compliance software firm.

‘Too Many Retailers’

But this complacency and lack of knowledge about PCI compliance are serious concerns. While many small retailers may feel they are not vulnerable to security breaches, the reverse is true. Between 80% and 90% of credit card security violations happen at Level 4 establishments, according to Markiyan Malko, project manager for Merchant Warehouse. Because fewer card numbers are captured during security breaches at smaller retailers than at large chains, these violations typically do not get as much media and industry attention.

But security violations at small establishments can be quite painful. “Because there are not millions of credit card numbers involved, it is not going to make CNN,” says Malko. “But often a breach is harder for smaller retailers in terms of the cost than the larger chains because many of them can’t afford to absorb a hit.” Additionally, he believes that as more Level 1 and 2 retailers implement PCI, more fraudsters are likely to target Level 3 and 4 retailers in the future.

Still, the high percentage should not be construed to mean that Level 4 has been more careless with its data. David Wallace, general manager for data-security standards for Chase Paymentech, notes that while approximately 90% of security breaches occur in small retailers, small establishments account for more than 90% of all retailers, so the percentage of breaches at small retailers is “proportionate” to their size in the industry.

Regardless, most security experts believe that more needs to be done to educate and motivate Level 4 retailers. And much of the responsibility for educating small retailers about security issues falls on the acquirers and ISOs that sign them up for card-processing services.

“It is going to be the ISOs that need to educate and work with small retailers,” says Avivah Litan, vice president and analyst with Stamford, Conn.-based Gartner Inc. “There are too many retailers and the banks just don’t have the wherewithal to work with them all.”

And some acquirers understand the importance of that job. “We want our merchants to be aware of the risks and be compliant with PCI. If they fail, we fail,” says Wallace.

ISOs and acquirers could be held liable if one of their retailer customers has a serious security violation. “It is the ISOs who are tasked with this. If there is a data breach, the ISO often holds the liability if there are fines or other costs. In many cases, the retailer will simply go out of business if the costs are high and the ISO is left to freeze the merchant account and take what it can to cover the costs,” says Hoffman.

But the success of such organizations in working with retailers on PCI compliance varies, industry experts say. “Retailers rely heavily on their acquirers or ISOs to inform them about PCI, and the efforts by ISOs to do this are not consistent. Some ISOs have taken a very aggressive stance while others have taken a segmented approach. Some do not do much to educate retailers at all,” says Heather Foster, vice president of marketing for ControlScan.

Hoffman agrees. “Some ISOs don’t really care while others are really worried about PCI and are working diligently to get their retail customers into compliance,” he says.

‘A Big, Complex Problem’

Compounding the problem of inconsistent PCI education for retailers, Foster adds, is that not all ISO staff members are highly aware of PCI issues themselves. “ISOs and acquirers need to educate their own employees, especially the support staff and salespeople. So, when they are signing up a new customer or providing support, they can educate retailers at the same time,” she says.

Indeed, PCI needs to be raised when ISOs are first signing up a retailer to take credit cards. “It all begins at the onboarding,” says Wallace. “We broach the topic of PCI at onboarding with retailers and send them to our Web site where they can get even more information.”

For those ISOs that lack the expertise to educate retailers and assess their risk potential, there are partnerships that can help, Malko says. “Most ISOs are not equipped themselves to provide PCI compliance, so they need to find a third party that can give them an entire package they can present to their retailer customers,” he says. Such partnerships may include software companies or other technology firms that have expertise in PCI.

Education is important, Foster explains, because her company’s study also found that retailers that were aware of the need for PCI compliance were more likely to take the necessary action. “The big hurdle is to get them to understand the risk,” she says.

As part of its education program, Chase Paymentech sponsors seminars and speaks at trade-industry associations where small retailers gather. It also has been speaking at seminars for government regulators and security professional groups. It has monthly PCI updates in newsletters that go out to all its merchants, and the fact it has received a significant number of questions and feedback from retailers is proof they are reading it, Wallace says. It also produces update bulletins wherever new security risks are discovered or new software enhancements available.

Still, sometimes education alone is not enough, says Malko. “At some point, you will have retailers who simply do not care no matter how much you try to educate them about the risk. Then technology becomes important in minimizing their vulnerability to attack. You have to take the issue out of their hands and give them security systems that automatically protect their business,” he says.

Merchant Warehouse works with ControlScan to develop products that simplify and assist retailers in getting into compliance, Malko says.

Indeed, there are a number of new products in the market today that can simplify the process for retailers. Panoptic, for example, has developed software for evaluating a retailer’s system that Hoffman compares to what TurboTax has done to make income-tax filing simpler for households.

“This has been a big, complex problem and we’re trying to make it simpler for retailers to comply. Our studies showed that of retailers that previously logged in to evaluate the security of their systems, there was a 50% dropout rate because the process was too difficult. We’ve made the software easier to use and smarter. We walk the retailer through the process and ask a series of questions that are only relevant to that retailer’s operation,” Hoffman says.

‘Making Money’

In putting together a PCI plan for small retailers, Wallace suggests acquirers take as much of the responsibility for action as possible out of the hands of the retailers themselves. Few have the internal expertise to know what to do. “The best thing you can do is take the data out of their environment so it is out of their minds and in the hands of people who are experts in security,” Wallace says.

Other recommendations include making sure retailers choose strong passwords, have antivirus software and firewalls between their data systems and the Internet, have patches available to fix potential security problems, and use solutions like tokenization and point-to-point encryption (PtoPE) programs to offload cardholder data storage and retrieval to their acquirer.

In deciding which retailers to hit with PCI first, Chase Paymentech’s Wallace suggests ISOs prioritize risk and look first at small retail establishments that are running card transactions through PCs and smart phones. “The risk is much lower for retailers that are using dial-up POS terminals. But a lot of merchants in the restaurant and hospitality business, for example, use PCs to capture and store card transactions and some of the mobile businesses, such as plumbers or appraisers, use smart phones now to capture card data.”

Whereas dial-up terminals typically send off all the data at the end of the day and are difficult for outsiders to access, short of stealing the terminal itself, PCs often store payment data for weeks or months. And because they are often Internet-connected and available remotely, it is possible to access data from outside the business, dramatically increasing the number of potential criminals who can access the data while at the same time decreasing the criminal’s risk of being caught.

Many retailers mistakenly believe that PCI compliance is too costly for a small establishment. “There are programs for under $100 per year that can get a retailer into compliance. And that is one of the best investments they can make. It will pay for itself a million times over compared to the cost of a major violation,” Malko says.

And while training their own staff as well as educating retailers can be a difficult task for ISOs, it can be worth their while. “ISOs can make money off of PCI compliance,” says Litan. “They are not doing this out of the goodness of their hearts.”

Indeed, some ISOs have tacked on PCI-related fees so that they are “making money on compliance issues,” says Hoffman.

In addition to added fee revenue, ISOs can use their knowledge of PCI to set themselves apart—an important factor considering the need for ISOs to find something beyond low price on which to sell their services. “ISOs can use PCI compliance to promote loyalty and add value. It can be used to distinguish their services,” says Litan.

‘Not Just Compliance’

In working with retailers on PCI compliance, however, ISOs should remember that not all retailer needs are the same. Indeed, it may be a mistake to classify all Level 4 retailers as “small.” Litan notes that the classification level is based on the number of credit card transactions a retailer accepts, not the total revenue or number of employees.

As a result, many sizable companies may be classified as Level 4 if they do not accept a lot of credit card transactions—such as utilities, rental companies, etc. These companies may have more resources available for PCI-related work than Mom-and-Pop retailers.

Additionally, Malko points out that many franchisees of large chains, such as fast-food restaurants, are independent and would be classified as Level 4 based on just the transactions from their one store. Such franchisees, however, may have corporate resources to rely on for learning about PCI that would not be available to a small independent retailer.

In the end, many retailers may not want to spend a lot of time discussing PCI compliance. That’s why it often needs to be presented to them as a good business practice—not just compliance. Most card-security programs can be used to protect all the data a retailer retains on its customers, not just credit card numbers. And that can have a lot of appeal to retailers.

“Many retailers are worried about protecting the Social Security numbers of their customers or other data. Protecting customer e-mail addresses has become a big issue recently. Implementing a secure system is all about protecting their business systems and employing the best practices,” Malko says.