For years, the payments industry has hoped to see improvement in card-data security among small merchants in the U.S. But, according to a survey released last week, it’s not happening. Indeed, in some important measures, there has been backsliding on security among the nation’s smallest retailers.
A little more than half (54%) of surveyed merchants say they are aware of the Payment Card Industry data-security standard (PCI), the 7-year-old set of data-security rules required of all merchants. That percentage has not budged in the year since the previous survey was done, according to ControlScan Inc., an Alpharetta, Ga.-based vendor of PCI compliance solutions, and Merchant Warehouse, a Boston-based independent sales organization, which jointly sponsor the research. Their latest release is the fourth annual report they have done on PCI compliance among so-called Level 4 merchants, or those doing fewer than 20,000 Visa e-commerce transactions annually or up to 1 million brick-and-mortar Visa transactions per year.
Nor is the picture any brighter among those merchants that say they are aware of PCI. Here, a lesser proportion of small merchants has validated PCI compliance (50%, down 7 points from last year), fewer rank data security as a high priority (77%, down 6 points), fewer can produce the documentation they need to support the compliance reports, or self-assessment questionnaires (SAQs), they file (39%, down from 47%), and 48% are investing in PCI compliance, down 3 points.
The disappointing results carry added significance because the country’s 5 million Level 4 merchants, while small in size, account for a significant share of card-based transactions. They are also far more vulnerable to a data compromise than larger merchants, though they don’t see it that way. Some 79% reported “little to no chance” a breach could happen at their stores, according to the survey. Yet, 97% of all reported U.S. compromises in 2011 occurred at small merchants, according to Visa Inc. which says the number of U.S. breaches rose 27% that year compared to 2010. Restaurants and franchise operations are particularly vulnerable to hackers.
Visa, which doesn’t report a numerical compliance rate for Level 4 merchants, in June reported 97% and 93% compliance rates for Level 1 and Level 2 merchants, respectively. Level 3s (e-commerce merchants) came in at 60%. For Level 4s, Visa said only that compliance was “moderate.”
While compliance among small merchants has long been a concern, the apparent backsliding uncovered by this year’s survey is particularly alarming. “I was disappointed we didn’t see progress,” says Heather Foster, vice president of marketing at ControlScan. “I’m definitely disappointed about awareness.” Adds Steven Tatem, IT director at Merchant Warehouse: “A lot of work still needs to be done on the education and awareness side.”
Both point out that compliance is relatively inexpensive for small merchants, and especially so when compared to the costs of a breach. But the abstruse language of the standard, together with the compliance cost and merchants’ calculation of their risk, conspire to make many owners put PCI on the shelf. “The security vs. convenience factor is always going to be part of the equation,” notes Tatem. “’It’s too much of a hassle, I just put my head in the sand.’”
Tatem advises ISOs and other acquirers to make PCI compliance part of the sales presentation to any merchant at the earliest opportunity. “That initial sales pitch should touch on this,” he says. “If I want to sell someone a bike, I want to make sure they have a helmet, too.”
One bright spot in this year’s survey is the performance of Web merchants, which turn out to be far more aware of, and active in compliance with, PCI than are their brick-and-mortar cousins. For example, some 70% of e-commerce sellers understand the standard is compulsory, vs. just 52% of physical merchants. The same proportion of e-commerce merchants are completing compliance validation, compared to only 45% of brick-and-mortar retailers.
The two companies conducted the survey in August, gathering responses from 603 merchants. Nearly half of the respondents reported annual transaction volume under $100,000, and 44% were brick-and-mortar establishments, with 16% falling into the e-commerce category and 40% being hybrids or mail-order/phone-order merchants.