PCI: Small Merchants Need to Catch Up
New Survey Finds Small Merchants Don't Invest in PCI ComplianceWhy has industry-wide compliance with the Payment Card Industry Data Security Standard proved so challenging? PCI-DSS is not new -- the standard is six years old. And changes to the standard, though somewhat significant during the early days, have not, as of late, been so dramatic.
The PCI Security Standards Council has been very vocal about its decision this year to keep standards relatively stagnant. The council says the PCI-DSS is mature and inclusive. And it wants to give the payments community a chance to catch up on compliance.
During a recent interview with Bob Russo, general manager of the PCI SSC, he highlighted initiatives the council has spearheaded to help the payments community. The PCI Internal Security Assessor Program, which offers training to help corporations internally assess their security programs, is expected to help payments players better prepare for PCI quality assessments. And a new micro website for smaller retailers will offer information and education about PCI requirements and compliance.
We noted in our coverage of the Oct. 28 standards updates that the launch of that website could not come at a better time, as the chasm between PCI compliance among large retailers and small merchants is becoming ever more vast. Criminals are beginning to move "down the food chain to target Level 3 and Level 4 retailers with cyber and physical attacks," Russo says.
A new survey from ControlScan, a PCI compliance solutions company, and Merchant Warehouse, which provides credit card equipment and payments transaction processing, supports the notion that there is indeed a PCI gap. According to the survey, "Diversity Resigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends," larger, Level 4, merchants are familiar with and dedicated to PCI compliance. Ninety-one percent of Level 4 merchants, which have at least 51 employees, confirmed familiarity with PCI-DSS, while only 45 percent of micro-merchants, with between one and 10 employees, said they understand PCI-DSS.
"We as an industry have an opportunity to create better educational tools that can help the small to mid-sized merchants understand the importance and process of protecting cardholder data," says Henry Helgeson, co-CEO of Merchant Warehouse, in a news release about the survey. "Educating both merchants and partners on why PCI-DSS compliance is good for business and how to easily achieve it is the first step toward achieving more compliance. The second step is to advise merchants to use secure, PA-DSS (Payment Application Data Security Standard) certified payment processing solutions."
What's more frightening to me, however, is that about half of the micro-merchants who took the survey say they don't spend anything on PCI compliance. They say "completing the paperwork" is as far as they go toward ensuring PCI mandates are met. In contrast, the majority of Level 4 merchants say they spend between $500 and $20,000 to attain and maintain PCI compliance.
In part, that makes sense, I suppose. Larger retailers or merchants are not only more likely to get hit by fraud, but the losses they suffer from cyberattacks and breaches are far more costly than those suffered by significantly smaller merchants.
But that does not excuse smaller merchants' lack of investment or attention to PCI. If my card is comprised at the family-owned bread shop up the street I visit from time to time for lunch, my displeasure will be no less than if my card were compromised at Wal-Mart.
Here's the point: Every retailer or merchant needs to be PCI compliant. A number of industry analysts were quick to criticize the PCI SSC for not changing the standards to keep up with emerging technology, and I agree with them on some level. At the same time, I have to acknowledge the overwhelming burden the council must feel when it's faced with merchants who continue to disregard their need to protect cardholder data. It's time for everyone to get with the proverbial program, small merchants included.