Research: Small Merchants Don't Believe PCI Compliance Will Protect Them

Study finds a continued lack of knowledge on PCI DSS

Dark Reading Staff, Dark Reading

November 11, 2011

4 Min Read

The prominence of large and small data breaches in number and resulting media coverage has served to further polarize how small- to mid-sized merchants approach data security and PCI compliance – from little worry to security priority. This conclusion is just one of the major findings from a survey of nearly 620 Level 4 merchants conducted by ControlScan ( and Merchant Warehouse' (

According to the survey, A “Perfect Storm” of Complacency: The Third Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, merchants with 10 or fewer employees – known as micro-merchants – are stubbornly persistent in their belief that PCI compliance will not protect their business. Even more, the study finds a continued lack of knowledge on the Payment Card Industry Data Security Standard (PCI DSS). Of those micro-merchants surveyed, 48 percent reported they were either “unsure” of or “not at all familiar” with the Payment Card Industry Data Security Standard.

In contrast, 77 percent of large Level 4 merchants, which are defined as those that employ 51 or more employees, confirmed they are “very” or “somewhat” familiar with the PCI DSS, with 79 percent considering data security a high priority and 82 percent considering PCI compliance mandatory. Awareness of PCI compliance is also high among e-commerce merchants at 64 percent.

“The results of this year’s survey, compared to years’ past, show us that education and structured PCI compliance programs are helping large Level 4 and e-commerce merchants make strides in PCI compliance,” said Henry Helgeson, co-CEO of Merchant Warehouse. “Unfortunately, the results also show us that micro-merchants are either unaware of the PCI DSS or actively choose not to embrace data security or the PCI DSS, because they don’t understand the risks. Merchants’ lack of awareness makes them more vulnerable to hacker attacks on cardholder data and could lead to catastrophic financial losses.”

Belief among Level 4 merchants that PCI compliance should be mandatory increased to 60 percent over the last year – a 10 percent gain. E-commerce (68 percent), companies with 51 or more employees (82 percent) and transaction volumes of $251,000 - $1M (69 percent) rated it even higher.

“We are encouraged by both the adoption and serious thought large Level 4 and e-commerce merchants are putting into their security posture and compliance, which we find directly related to the education and resources they receive on PCI compliance,” said Joan Herbig, CEO of ControlScan. “There is still a tremendous opportunity, however, for ISOs and acquirers to share that same education with micro-merchants in order to guide them through PCI compliance by setting stronger repercussions for non-compliance and establishing data security as an ongoing process.”

For the first time, the survey asked if small- to mid-sized merchants were more concerned with “outsider” or “insider” data security attacks. Of micro-merchants, 85 percent saw outsiders as the biggest threat, while the percentage went down for larger Level 4 merchants to 69 percent.

The precise impact of emerging technologies, such as point-to-point encryption and tokenization, on a merchant’s PCI compliance efforts is still unfolding. Yet, ISOs and acquirers are encouraged to stay apprised of developments in this space.

“These technologies hold great promise for reducing the merchant’s efforts to comply with the PCI DSS, while increasing their security posture,” continued Herbig. “The PCI Council has also recently provided guidance in these areas and will be providing more information in the coming months, which should help increase clarity and adoption.”

To access a copy of the detailed study findings, please click on the following link: NOTE: link will be live Thurs., Nov. 3.

ControlScan and Merchant Warehouse are also hosting a joint Webinar to be held on November 10, 2011 at 2 – 3 p.m. ET to present the study’s findings. To register, please click on the following link:

About the Survey

The survey was completed in August 2011 by 621 Level 4 merchants who represent a mix of e-commerce, retail stores and mail order/telephone order businesses.

About the PCI Compliance Provider, ControlScan:

Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company’s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions, visit or call 1-800-825-3301.

About Merchant Warehouse:

Merchant Warehouse is an award winning provider of secure payment processing solutions and merchant account services to merchants and point-of-sale developers nationwide. As an industry leader, Merchant Warehouse is committed to ensuring its merchants, agents and partners are offered the most forward thinking payment solutions, delivering PCI compliant solutions that minimize the complexities of compliance for merchants. Headquartered in Boston, MA, since 1998, Merchant Warehouse continues to provide account services to hundreds of thousands of merchants and serves hundreds of agents and partners. For more information, please visit or follow us on Twitter at Visit our blogs at and

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights