Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/11/2011
05:48 PM
50%
50%

Research: Small Merchants Don't Believe PCI Compliance Will Protect Them

Study finds a continued lack of knowledge on PCI DSS

The prominence of large and small data breaches in number and resulting media coverage has served to further polarize how small- to mid-sized merchants approach data security and PCI compliance – from little worry to security priority. This conclusion is just one of the major findings from a survey of nearly 620 Level 4 merchants conducted by ControlScan (www.controlscan.com) and Merchant Warehouse' (www.merchantwarehouse.com).

According to the survey, A “Perfect Storm” of Complacency: The Third Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, merchants with 10 or fewer employees – known as micro-merchants – are stubbornly persistent in their belief that PCI compliance will not protect their business. Even more, the study finds a continued lack of knowledge on the Payment Card Industry Data Security Standard (PCI DSS). Of those micro-merchants surveyed, 48 percent reported they were either “unsure” of or “not at all familiar” with the Payment Card Industry Data Security Standard.

In contrast, 77 percent of large Level 4 merchants, which are defined as those that employ 51 or more employees, confirmed they are “very” or “somewhat” familiar with the PCI DSS, with 79 percent considering data security a high priority and 82 percent considering PCI compliance mandatory. Awareness of PCI compliance is also high among e-commerce merchants at 64 percent.

“The results of this year’s survey, compared to years’ past, show us that education and structured PCI compliance programs are helping large Level 4 and e-commerce merchants make strides in PCI compliance,” said Henry Helgeson, co-CEO of Merchant Warehouse. “Unfortunately, the results also show us that micro-merchants are either unaware of the PCI DSS or actively choose not to embrace data security or the PCI DSS, because they don’t understand the risks. Merchants’ lack of awareness makes them more vulnerable to hacker attacks on cardholder data and could lead to catastrophic financial losses.”

Belief among Level 4 merchants that PCI compliance should be mandatory increased to 60 percent over the last year – a 10 percent gain. E-commerce (68 percent), companies with 51 or more employees (82 percent) and transaction volumes of $251,000 - $1M (69 percent) rated it even higher.

“We are encouraged by both the adoption and serious thought large Level 4 and e-commerce merchants are putting into their security posture and compliance, which we find directly related to the education and resources they receive on PCI compliance,” said Joan Herbig, CEO of ControlScan. “There is still a tremendous opportunity, however, for ISOs and acquirers to share that same education with micro-merchants in order to guide them through PCI compliance by setting stronger repercussions for non-compliance and establishing data security as an ongoing process.”

For the first time, the survey asked if small- to mid-sized merchants were more concerned with “outsider” or “insider” data security attacks. Of micro-merchants, 85 percent saw outsiders as the biggest threat, while the percentage went down for larger Level 4 merchants to 69 percent.

The precise impact of emerging technologies, such as point-to-point encryption and tokenization, on a merchant’s PCI compliance efforts is still unfolding. Yet, ISOs and acquirers are encouraged to stay apprised of developments in this space.

“These technologies hold great promise for reducing the merchant’s efforts to comply with the PCI DSS, while increasing their security posture,” continued Herbig. “The PCI Council has also recently provided guidance in these areas and will be providing more information in the coming months, which should help increase clarity and adoption.”

To access a copy of the detailed study findings, please click on the following link:

https://www.controlscan.com/whitepapers/merchant_study_2011.php. NOTE: link will be live Thurs., Nov. 3.

ControlScan and Merchant Warehouse are also hosting a joint Webinar to be held on November 10, 2011 at 2 – 3 p.m. ET to present the study’s findings. To register, please click on the following link: https://www2.gotomeeting.com/register/714284818.

About the Survey

The survey was completed in August 2011 by 621 Level 4 merchants who represent a mix of e-commerce, retail stores and mail order/telephone order businesses.

About the PCI Compliance Provider, ControlScan:

Headquartered in Atlanta, Georgia, ControlScan is the leading provider of Payment Card Industry (PCI) Compliance and Security services designed to meet the unique needs of small to mid-sized merchants and the acquirers that serve them. The company’s flexible solutions, easy-to-use online tools and personalized support significantly simplify PCI and security for its clients. In addition, as an Approved Scanning Vendor and a Qualified Security Assessor, ControlScan is positioned to help merchants meet compliance requirements and maintain secure business environments for their customers. For more information about ControlScan and its cloud-based solutions, visit www.controlscan.com or call 1-800-825-3301.

About Merchant Warehouse:

Merchant Warehouse is an award winning provider of secure payment processing solutions and merchant account services to merchants and point-of-sale developers nationwide. As an industry leader, Merchant Warehouse is committed to ensuring its merchants, agents and partners are offered the most forward thinking payment solutions, delivering PCI compliant solutions that minimize the complexities of compliance for merchants. Headquartered in Boston, MA, since 1998, Merchant Warehouse continues to provide account services to hundreds of thousands of merchants and serves hundreds of agents and partners. For more information, please visit merchantwarehouse.com or follow us on Twitter at http://twitter.com/MWarehouse. Visit our blogs at http://blog.merchantwaresolutions.com/ and http://blog.merchantwarehouse.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .