Business Owner: Are you Aware?

Article Provided by PCI Security Standard Council

Small retailers still aren’t catching on to the Payment Card Industry data security standards, according to recent survey results.

Only 54% of Level 4 merchants are aware of the standards, up just a single percentage point from last year, says Heather Foster, vice president of marketing for security vendor ControlScan Inc

Among merchants aware of PCI, the percentage who comply with the standards fell from 57% last year to 50% this year, says Foster.

“There was really no upward progress overall in terms of awareness and merchants who achieved compliance,” she notes.

The percentage of merchants that are aware but don’t comply could result partly from sampling error and partly because merchants sometimes fall out of compliance, Foster notes.

The lack of improvement in awareness constitutes “the more disappointing number” because awareness precedes complying, she says.

The tasks of spreading awareness and following up to make sure merchants keep complying fall mainly to ISOs, which have personal relationships with small retailers, Foster says.

“You have to keep reminding them that they have to do it again,” she says, referring to continuing efforts by ISOs to help merchants stay in compliance.

Awareness and compliance run higher among online merchants than offline merchants, Foster says.

“They know consumers are putting their credit card information directly onto their site, so they’re much more aware of how they’re handling that data,” she says.

Moreover, offline retailers often believe that they’re too small to attract data thieves, Foster says.

“But if you look at the overall data-compromise events, they are taking place at the small-merchant level and there’s a much higher population of brick-and-mortar retail than e-commerce merchants,” she notes.

Some 79% of small retailers believe they’re at little or no risk for data breaches, the study has shown consistently over the years, Foster says.

“A lot of times, they just don’t know,” she says.

A white paper on the study devotes a page and a half to explaining breaches, Foster says, noting that ISOs and sales agents could use the information to provide context to their merchants.

“This is a real problem, and this is what we’re trying to do to help you protect yourself and your customers’ information,” she says.

The study also shows each year that merchants seek information on security and PCI from merchant banks and ISOs, Foster notes.

“Those are their trusted advisers and that’s who they expect to hear it from,” she says.

Providing information that puts PCI duties in context eases the burden of the compliance questionnaire, Foster suggests.

Helping merchants comply with PCI also protects ISOs, she says. When a merchant has a breach and can’t pay the fine, liability can fall on the ISO and acquiring bank..

ControlScan recommends combining that sort of email newsletter with statement inserts, direct mail, website content and phone calls to raise awareness, says Foster.

“It takes a village to achieve compliance,” she contends. “The more media channels you use, the more likelihood you’re going to get the message through.”

The researchers try to avoid results skewed by the relationship with the sponsoring companies, she notes.

More than 600 merchants responded to the survey, which had 16 security questions and a “handful” of demographic questions on merchant category and size, Foster says.

Visa Inc. defines Level 4 merchants as those processing fewer than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions yearly.

By Ed Mckinley