Small retailers still aren’t catching on to the Payment Card Industry data security standards, according to recent survey results.
Only 54% of Level 4 merchants are aware of the standards, up just a single percentage point from last year, says Heather Foster, vice present of marketing for security vendor ControlScan Inc., which cooperated on the research with Merchant Warehouse, a Boston-based ISO.
Among merchants aware of PCI, the percentage who comply with the standards fell from 57% last year to 50% this year, says Foster.
“There was really no upward progress overall in terms of awareness and merchants who achieved compliance,” she notes.
The percentage of merchants that are aware but don’t comply could result partly from sampling error and partly because merchants sometimes fall out of compliance, Foster notes.
The lack of improvement in awareness constitutes “the more disappointing number” because awareness precedes complying, she says.
The tasks of spreading awareness and following up to make sure merchants keep complying fall mainly to ISOs, which have personal relationships with small retailers, Foster says.
“You have to keep reminding them that they have to do it again,” she says, referring to continuing efforts by ISOs to help merchants stay in compliance.
Awareness and compliance run higher among online merchants than offline merchants, Foster says.
“They know consumers are putting their credit card information directly onto their site, so they’re much more aware of how they’re handling that data,” she says.
Moreover, offline retailers often believe that they’re too small to attract data thieves, Foster says.
“But if you look at the overall data-compromise events, they are taking place at the small-merchant level and there’s a much higher population of brick-and-mortar retail than e-commerce merchants,” she notes.
Some 79% of small retailers believe they’re at little or no risk for data breaches, the study has shown consistently over the years, Foster says.
“A lot of times, they just don’t know,” she says.
A white paper on the study devotes a page and a half to explaining breaches, Foster says, noting that ISOs and sales agents could use the information to provide context to their merchants.
“This is a real problem, and this is what we’re trying to do to help you protect yourself and your customers’ information,” she says.
The study also shows each year that merchants seek information on security and PCI from merchant banks and ISOs, Foster notes.
“Those are their trusted advisers and that’s who they expect to hear it from,” she says.
Providing information that puts PCI duties in context eases the burden of the compliance questionnaire, Foster suggests.
Helping merchants comply with PCI also protects ISOs, she says. When a merchant has a breach and can’t pay the fine, liability can fall on the ISO and acquiring bank.
For those reasons, Merchant Warehouse stays focused on retailers’ awareness and compliance, says Jenn Reichenbacher, the ISO’s director of communications.
“From discussing PCI upfront with new customers by our direct sales team all the way through to our customer-service team, we are becoming more and more educated about PCI compliance and we share that with our customers,” Reichenbacher says.
Merchant Warehouse has developed an email quarterly newsletter, called The Paymentor News, which provides articles and links to additional information, she notes. It’s designed to encourage the company’s customers to think about data security.
“Renters don’t think about renter’s insurance until they’re robbed,” Reichenbacher says. “That’s somewhat of the mentality across this merchant space.”
ControlScan recommends combining that sort of email newsletter with statement inserts, direct mail, website content and phone calls to raise awareness, says Foster.
“It takes a village to achieve compliance,” she contends. “The more media channels you use, the more likelihood you’re going to get the message through.”
ControlScan and Merchant Warehouse commissioned the annual study for the fourth time this year. It’s conducted by sending an email message with a link to an online questionnaire.
The email message goes to companies in the ControlScan and Merchant Warehouse databases, which include customers and other companies that have made inquiries, Foster says.
The researchers try to avoid results skewed by the relationship with the sponsoring companies, she notes.
More than 600 merchants responded to the survey, which had 16 security questions and a “handful” of demographic questions on merchant category and size, Foster says.
Visa Inc. defines Level 4 merchants as those processing fewer than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions yearly.