Many small merchants ignoring security standards

Many small merchants ignoring security standards

It's been more than five years since the Payment Card Industry Data Security Standard (PCI DSS) was introduced, establishing standards for organizations that handle cardholder data. Yet, Level 4 "micro merchants" (particularly those with 10 or fewer employees) seem to be operating like ostriches with heads buried in the sand.

Recent research suggests that small merchants are apathetic toward PCI DSS  -- and that this attitude is the calm before the inevitable "perfect storm" of catastrophic financial losses, hacker attacks and devastating data breaches that could deliver crushing blows to daily operations.

Survey reveals apathy toward PCI DSS
ControlScan, a leading provider of PCI compliance and security services for small to mid-sized merchants and acquirers, conducted its third survey of Level 4 merchants. The ControlScan survey focused on micro merchants' responses to PCI DSS compliance. More than 600 Level 4 merchants were polled.

The ControlScan study revealed a dangerous formula at work in the small merchant business community: Low levels of awareness of PCI + apathyregarding cardholder data = lackluster, apathetic merchant compliance, high risk for hacker attacks and potential for devastating losses.

Risks of high losses aren't motivating enough
Inexplicably, small merchants aren't motivated by the risk of hefty financial losses when it comes to PCI DSS compliance. In fact, some merchants believe compliance measures don't make their businesses operate more securely. The ControlScan study suggests several motivators for merchant apathy:

• Small merchants believe they have a low risk for security breaches.
• Merchants fail to acknowledge devastating financial impacts of data and security breaches.
• Merchants don't appreciate the duty they owe customers to protect sensitive cardholder information.
• Merchant acquirers don't mandate compliance efforts and are allowing things to slide.
• Small merchants are frustrated and overwhelmed by the costs of compliance, as well as by comprehending and applying compliance measures.
• Merchants view compliance as a discrete, one-time paperwork chore, rather than an ongoing practice.
• Merchants count on banks, acquirers and other payment processing vendors to give them advice on PCI compliance and security for credit card payments.

Unawareness is still a big, systemic problem
There is a fundamental awareness problem when it comes to PCI DSS, the survey found. Efforts to promote and increase awareness of PCI compliance among small merchants are stalling and making little to no progress. Nearly half of all small merchants weren't sure of the compliance standards or admitted to being not at all familiar with them, according to the survey. Just 18 percent described themselves as being very familiar with compliance standards.

What does this mean for small merchants?
This apathy may come at a cost -- a high cost. Hackers prey upon small merchants because they're seen as easier attack targets. One study conducted by Symantec Corporation and Ponemon Institute suggests the average cost of a single compromised cardholder record was $214 in 2010. So even if a small merchant has only 1,000 customer records, the total price tag can quickly surpass $200,000.

Even though many small merchants have been slow to adopt PCI DSS standards, there has been some progress, according to the ControlScan report. PCI DSS compliance increased slightly from 2010 to 2011. And more merchants said they believed that PCI standards should apply to their business.

See related: Large number of merchants storing unencrypted card data; 6 tips for securing your payment system

Published: January 24,2023