Spotlight on Merchant Services: Security Standards

Five years after the introduction of the Payment Card Industry Data Security Standard (PCI DSS) that established standards for handling credit card data, some merchants are still not onboard, according to a recently-released survey of small businesses. It’s disappointing news, especially since many merchant services providers — including Merchant Express® — have made every effort to drive home the message that PCI compliance is a business’s first line of defense against credit card fraud and identity theft.

The survey, conducted by ControlScan, focused on Level 4 merchants, particularly “micro-merchants” with fewer than 10 employees. The results reveal something of a “What? Me Worry?” attitude among the respondents. Specifically, there were three key finding

1. The risk of financial losses doesn’t seem to be a big motivator for Level 4

merchants to aggressively comply with the PCI DSS.

2. A sizeable minority of Level 4 merchants continue to believe that PCI compliance does not make their business more secure.
3. Little progress has been made in increasing awareness of PCI compliance among small business owners.

ControlScan notes that these findings, which are consistent with results from previous surveys, suggest “the stubborn persistence of a ‘perfect storm’ of complacency.” “Merchant apathy makes them more vulnerable to hacker attacks on cardholder data and could lead to catastrophic financial losses,” the survey concludes. “With a clear choice of bolstering payment data security or ignoring the financial risks of non-compliance, many merchants (especially those with ten or fewer employees) are doggedly persisting with the latter choice.”

The study was not all gloom and doom, however. Some progress was reported, such as the fact that spending to support PCI compliance had increased slightly over 2010, despite the difficult economy. And, of the 2011 respondents expressing awareness of PCI compliance:

• More merchants have validated that they are PCI compliant.
• More merchants have documentation to support their Self-Assessment Questionnaire (SAQ) responses.
• More believe that the PCI standard should apply to their businesses.
• More are taking actions or making purchases to comply with PCI and enhance data security.

The report also notes that while the majority of respondents (56%) viewed security as a high priority, there has not been notable year-to-year growth in this area. ControlScan attributed this to several likely reasons:

• Believing that their risk is very low, merchants are failing to recognize the potentially devastating impacts that data breaches can have on their reputations and finances.
• Merchants may not realize the obligation they have to their customers to protect sensitive information.
• Merchant services providers are not mandating compliance.

Merchant Express is one merchant services provider that recognizes that PCI compliance is the responsibility of everyone in the chain of credit card processing — the merchant, the provider, the card networks and the banks. We not only help our clients achieve and maintain PCI compliance, but we also offer a data breach security program to assist them if a data breach is suspected or actually occurs.

If you’re a merchant who’s serious about PCI compliance, talk to a Merchant Express representative about how we can help keep you and your customers safe from credit card fraud and identity theft.