Research: Small Merchants Don't Believe PCI Compliance Will Protect Them

The prominence of large and small data breaches in number and resulting media coverage has served to further polarize how small- to mid-sized merchants approach data security and PCI compliance – from little worry to security priority. This conclusion is just one of the major findings from a survey of nearly 620 Level 4 merchants conducted by ControlScan (www.controlscan.com) and Merchant Warehouse' (www.merchantwarehouse.com).

According to the survey, A “Perfect Storm” of Complacency: The Third Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, merchants with 10 or fewer employees – known as micro-merchants – are stubbornly persistent in their belief that PCI compliance will not protect their business. Even more, the study finds a continued lack of knowledge on the Payment Card Industry Data Security Standard (PCI DSS). Of those micro-merchants surveyed, 48 percent reported they were either “unsure” of or “not at all familiar” with the Payment Card Industry Data Security Standard.

In contrast, 77 percent of large Level 4 merchants, which are defined as those that employ 51 or more employees, confirmed they are “very” or “somewhat” familiar with the PCI DSS, with 79 percent considering data security a high priority and 82 percent considering PCI compliance mandatory. Awareness of PCI compliance is also high among e-commerce merchants at 64 percent.

“The results of this year’s survey, compared to years’ past, show us that education and structured PCI compliance programs are helping large Level 4 and e-commerce merchants make strides in PCI compliance,” said Henry Helgeson, co-CEO of Merchant Warehouse. “Unfortunately, the results also show us that micro-merchants are either unaware of the PCI DSS or actively choose not to embrace data security or the PCI DSS, because they don’t understand the risks. Merchants’ lack of awareness makes them more vulnerable to hacker attacks on cardholder data and could lead to catastrophic financial losses.”

Belief among Level 4 merchants that PCI compliance should be mandatory increased to 60 percent over the last year – a 10 percent gain. E-commerce (68 percent), companies with 51 or more employees (82 percent) and transaction volumes of $251,000 - $1M (69 percent) rated it even higher.

“We are encouraged by both the adoption and serious thought large Level 4 and e-commerce merchants are putting into their security posture and compliance, which we find directly related to the education and resources they receive on PCI compliance,” said Joan Herbig, CEO of ControlScan. “There is still a tremendous opportunity, however, for ISOs and acquirers to share that same education with micro-merchants in order to guide them through PCI compliance by setting stronger repercussions for non-compliance and establishing data security as an ongoing process.”

For the first time, the survey asked if small- to mid-sized merchants were more concerned with “outsider” or “insider” data security attacks. Of micro-merchants, 85 percent saw outsiders as the biggest threat, while the percentage went down for larger Level 4 merchants to 69 percent.

The precise impact of emerging technologies, such as point-to-point encryption and tokenization, on a merchant’s PCI compliance efforts is still unfolding. Yet, ISOs and acquirers are encouraged to stay apprised of developments in this space.

“These technologies hold great promise for reducing the merchant’s efforts to comply with the PCI DSS, while increasing their security posture,” continued Herbig. “The PCI Council has also recently provided guidance in these areas and will be providing more information in the coming months, which should help increase clarity and adoption.”

To access a copy of the detailed study findings, please click on the following link:

https://www.controlscan.com/whitepapers/merchant_study_2011.php. NOTE: link will be live Thurs., Nov. 3.

ControlScan and Merchant Warehouse are also hosting a joint Webinar to be held on November 10, 2011 at 2 – 3 p.m. ET to present the study’s findings. To register, please click on the following link: https://www2.gotomeeting.com/register/714284818.

About the Survey

The survey was completed in August 2011 by 621 Level 4 merchants who represent a mix of e-commerce, retail stores and mail order/telephone order businesses.

About the PCI Compliance Provider, ControlScan:

Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company’s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions, visit www.controlscan.com or call 1-800-825-3301.

About Merchant Warehouse:

Merchant Warehouse is an award winning provider of secure payment processing solutions and merchant account services to merchants and point-of-sale developers nationwide. As an industry leader, Merchant Warehouse is committed to ensuring its merchants, agents and partners are offered the most forward thinking payment solutions, delivering PCI compliant solutions that minimize the complexities of compliance for merchants. Headquartered in Boston, MA, since 1998, Merchant Warehouse continues to provide account services to hundreds of thousands of merchants and serves hundreds of agents and partners. For more information, please visit merchantwarehouse.com or follow us on Twitter at http://twitter.com/MWarehouse. Visit our blogs at http://blog.merchantwaresolutions.com/ and http://blog.merchantwarehouse.com.