Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
4 excuses small merchants make for ignoring data security
Small business owners may think they can't afford the time or the money necessary to ensure their business is compliant with Payment Card Industry Data Security Standards (PCI DSS). The fact is, they can't afford not to as data thieves are increasingly targeting small businesses.
But small retailers often aren't aware of their vulnerability, according to the fourth annual survey on small merchants' PCI compliance conducted jointly by ControlScan, which specializes in security and PCI compliance, and payment solutions provider Merchant Warehouse. And even those merchants who do understand the importance of data security don't always follow through with the necessary steps to protect themselves.
Here are some of the most common excuses small merchants make to avoid PCI compliance, according to experts -- and some reasons to rethink them if they sound all too familiar.
Excuse No. 1: Data thieves aren't interested in my small business. They go after the big guys.
Nearly 80 percent of the small merchants in the ControlScan survey felt they had no risk or very little risk of a data compromise. But their confidence is misplaced. Although hackers and data thieves originally focused on merchants with the highest transaction volumes, those retailers have made the effort to become PCI DSS compliant. In turn, thieves are focusing on easier targets -- such as small businesses -- and using automated tools to probe for vulnerabilities.
"The understanding isn't there that it's not a personal attack, but an automated attack where these technologies are actually fishing through the Internet or fishing through payment systems to find those that are vulnerable," says Jenn Reichenbacher, director of communications at Merchant Warehouse.
Because more and more small merchants have their payment functions connected to the Internet, they're increasingly vulnerable.
"Small businesses may think 'I'm just a small mom-and-pop store. Why would anyone attack me?'" says David Abouchar, ControlScan's senior director of product management. "...It's not that hackers from the Ukraine are going after Bob's convenience store. They simply go out and create automated tools that probe the Internet and, if Bob's convenience store has a vulnerability they'll exploit it."
Need even more proof that you're at risk? In a June 2012 presentation, Visa said that 97 percent of the U.S. data breach compromise incidents reported to the company in 2011occurred at small merchants.
Excuse No. 2: If the big guys can't stop them, I can't.
Whether a retailer is large or small, hackers look for easy access to data. For example, they're more likely to go after merchants who don't use strong passwords.
"Hackers are not going to spend countless hours trying to break into a small merchant," Abouchar says. "If the merchants will protect themselves with some of the basics, they're not going to be 100 percent bullet proof -- no one is -- but they will have taken steps that will significantly mitigate a breach event."
Excuse No.3: PCI DSS compliance is too complicated.
The ControlScan survey found that 67 percent of e-commerce merchants were knowledgeable about PCI DSS; only 51 percent of brick-and-mortar merchants said they were familiar with it. But only half of those who know about PCI DSS actually validate that they are compliant. The rest state they don't understand it, don't have the resources to handle it or are still working on it.
"Putting myself in a small business owner's shoes, I can understand why they say that," Abouchar says. "But if they spend a little bit of time trying to understand what their options are, I think they'll find that it isn't as daunting as it may seem on the surface."
Business owners can learn more about PCI DSS by talking to companies that specialize in it or by consulting with their own service providers.
"From our perspective [at Merchant Warehouse] we look at that as a key role for us," Reichenbacher says. "We do everything in our power to educate and to reinforce the critical need for PCI compliance." As part of standard pricing, for example, Merchant Warehouse offers its customers the resources of ControlScan to help them make their credit card processing more secure.
"But we can't do it for the merchants," Reichenbacher says. "That's the piece they have to do, to be willing to take a short amount of time to gain some basic understanding of the concepts. We make an immediate introduction and partner with ControlScan to literally walk them through the process, and yet we continue to struggle to get people to enroll in this complimentary service that we provide."
Excuse No. 4: PCI DSS compliance is too expensive.
A data breach would cost a lot more. According to Symantec's 2011 Cost of Data Breach Study, merchants' direct costs of recovering from a security breach average $194 per stolen record. So if a data thief stole just 200 customer records, your costs could be almost $39,000.
"You have to look at it from an investment perspective, not just from a cost perspective," Abouchar says. "This is your livelihood -- you do not want one single event to ruin everything you've worked so hard for."
The costs of becoming PCI DSS compliant will vary according to merchants' size and the type of retail business they're running, Abouchar says.
"But there are really a lot of affordable ways that you can outsource some or all of your cardholder data functions. There are a lot of cloud-based security tools that are typically well-suited for small business owners and that start at $40 to $50 a month," Abouchar says."
Putting a lock on the back end of your business to secure your data by complying with PCI DSS isn't much different than physically securing your store, Reichenbacher says.
"You wouldn't trust your neighbors not to come into your store if you didn't put a lock on it," she says. "You'd invest in that lock and may be a security system as well. It's simply an important cost of doing business."
Published: December 14,2020