Yawn with the Wind

Small merchants remain complacent about PCI DSS compliance, despite mounting risks.

PCI Compliance

In “Gone with the Wind,” Scarlett O’Hara chooses to procrastinate when faced with a difficult problem: “I can’t think about that right now. If I do, I’ll go crazy. I’ll think about that tomorrow.”

Many small business owners appear to be suffering from a form of “Scarlett Syndrome” when it comes to the Payment Card Industry Data Security Standard (PCI DSS). A new report reveals a stubborn, multiyear trend of minimal growth in data security awareness and overall indifference in small merchants’ perceived risk of a data breach.

The report, developed by ControlScan in conjunction with Merchant Warehouse, focuses specifically on PCI DSS compliance among Level 4 merchants. Level 4 merchants, as defined under PCI guidelines, are those who process fewer than 20,000 electronic credit card transactions per year. Although they conduct the fewest transactions, Level 4 merchants make up 99 percent of U.S. businesses that process credit cards.

“Just under half of this year’s respondents indicated they are unaware of the PCI DSS,” said Joan Herbig, CEO of ControlScan. “That finding, combined with the fact that 79 percent of respondents think their business has little to no risk of breach, indicates a serious disconnect between Level 4 merchants and the ISOs and acquiring banks serving them.”

Frankly, They Don’t Give a Darn

The report, “A Tale of Two Merchants: The Fourth Annual Survey of Level 4 Merchant PCI Compliance Trends,” is based on survey responses from 603 merchants. Overall, most respondents familiar with the PCI DSS rank security as “medium” or “high” among their organizations’ overall priorities — however, only 50 percent have actually validated their PCI compliance. Ecommerce merchant respondents are above the average at a 70 percent completion rate, while brick-and-mortar merchants are below the average at 45 percent. When all respondents are included in the calculation, the overall PCI compliance rate for these Level 4 merchants drops to 30 percent.

That is an astoundingly low number considering these are the very merchants who are most frequently targeted by hackers. In a June 2012 presentation, Visa reported that Level 4 merchants experienced a 15 percent rise in reported compromise events from 2010 to 2011, with 70 percent of incidents involving brick-and-mortar merchants. There is a correlation between PCI non-compliance and data breaches. According to the Verizon 2012 Data Breach Investigations Report, 96 percent of breach victims were not PCI-compliant.

Despite the obvious risk, PCI-related complacency has remained consistent during four years of the ControlScan/Merchant Warehouse survey.

“The four years’ worth of data now in place show that Level 4 merchants have an urgent need for education and hands-on support to effectively protect their businesses from data thieves,” said David McSweeney, executive vice president, Operations, Merchant Warehouse. “Small merchants require more personalized outreach and scalable solutions that make sense and are affordable for their business.”

Time for Action

Small-businesses owners are typically focused on operations and often lack the time, inclination or expertise to effectively address data security issues. IT service organizations can provide valuable assistance by increasing business awareness of security risks and delivering solutions that help improve compliance.

To encourage compliance, particularly among small merchants, the PCI Security Standards Council in November 2012 issued new guidelines on how businesses storing, processing or transmitting payment-card information should conduct an annual risk assessment. The guidelines can be downloaded at the council’s website http://www.pcisecuritystandards.org/security_standards/documents.php.

“As there are a number of risk assessment methodologies out there, our stakeholders were looking for guidance on how to effectively apply these principles to their organizations to meet PCI requirements,” said Bob Russo, general manager, PCI Security Standards Council. “Through our community-driven election process, our participating organizations selected this as a key focus area, and the result is a strong set of best practices to guide you through choosing the risk management approach that works best for your business.”