Dark Reading

WASHINGTON -- They're strutting like they've got the problem licked. But small businesses may be setting themselves up for a big fall, according to a new study.

In a report released here yesterday at the Visa USA security summit, the National Federation of Independent Business and Visa reported that small businesses are overconfident about their ability to protect their customers' data. In fact, most companies with fewer than 250 employees are storing sensitive data that they shouldn't, the study says.

"The entrepreneurial, go-it-alone spirit that drives many small businesses may actually work against them on important issues like security," said Rosetta Jones, vice president of Visa USA. "That's why creating educational programs that provide a blueprint for protecting small businesses and locking down customer information are so important." Visa and the NFIB will launch a security training program for small businesses later this year, she said.

Eighty-seven percent of small businesses believe that if customers saw how they handled their data, it would either affirm (48 percent) or strengthen (39 percent) the trust that customers put in their businesses, according to the report. About 84 percent of mom-and-pops protect customer information through encryption or passwords.

Yet more than half of small retailers are currently storing sensitive customer data that they are supposed to purge after a transaction is complete under the Payment Card Industry (PCI) Data Security Standard, the NFIB and Visa said. Thirty-seven percent are storing customer credit card numbers; 24 percent are storing Social Security numbers; and 28 percent are storing customer bank account numbers or copies of checks.

"In some situations, business owners may not be fully aware that their systems are storing this highly sensitive information," the report said. "Yet it is exactly this sort of personal information that criminals seek in order to commit payment fraud."

Few small businesses have data security processes in place, the survey shows. Most (57 percent) do not see securing customer data as something that requires formal planning, and many (39 percent) say they rely on "common sense" to keep data safe. Most of the respondents (61 percent) have never sought out information about how to properly handle and store customer information.

Some small businesses are more security-savvy than others, according to the report. The smallest companies -- those with fewer than 10 employees -- are the least likely to have a formal security plan (38 percent, compared to 55 percent of companies with 20-250 employees).

Companies that have security-savvy owners make better plans than those that don't. If the company's owner checks his or her credit report, shreds documents, locks up files, and keeps PINs separate from cards and accounts, about 55 percent of their companies have a security plan in place. If the owner does two or fewer of these things, only 37 percent have a formal security plan.

Visa has been pushing security hard on the retail industry via PCI standards, but most small merchants are not compliant and don't face the prospect of an audit, as larger merchants do. Visa and the NFIB said they will attack the issue with Internet-based training, in-market events, and "turnkey" written materials.

— Tim Wilson, Site Editor, Dark Reading