Long after the 2004 unveiling of the Payment Card Industry data security standard, many merchants remain unaware of it and know little about the threat data thieves pose, says Bill Farmer, CEO of Mako Networks.
"It's time for people to responsibly embrace the digital age and become aware of PCI compliance," says Farmer, whose Auckland, New Zealand-based company manages systems and security for cloud-based networks.
Merchants must seek guidance from security and network management companies that are willing to work together in a collaborative effort to make data secure, Farmer says.
To that end, Mako compiled three years of research into a report titled "PCI and Partnerships." The report warns merchants of the complexities and dangers of either ignoring data security altogether or attempting to assemble a solution through various vendors that do not work together.
"There is a lot of misinformation out there in the payments industry, and we came together with like-minded people to put together this report to help small merchants," says Farmer. The report's contributors include Phoenix Managed Networks Inc., Spire Payments Inc., Vigitrust and Service Logistics.
"A collaborative effort among vendors has worked well, and it helps to outline an approach for PCI compliance for merchants," Farmer says.
Last spring, Mako worked with other vendors to develop PaySecure software to block hackers from entering a network through its most vulnerable connection points.
Still, no product is a perfect substitute for proactively learning about security, Farmer says.
"Merchants may look for a cheap way to get rid of PCI compliance worries, but PCI is all about good security in payments and every element of moving your business forward," Farmer says.
The Mako report indicates merchants are bombarded with information and offers from various security system resellers who bring numerous products into the discussion, creating even more confusion for merchants.
While the report steers merchants toward considering a collaborative approach from a group of qualified suppliers and PCI accredited companies as the best way to tackle PCI compliance, Farmer says the most important consideration for merchants is to "actually do something."
"They have to get started on this," Farmer states. "There are far too many merchants still not paying attention to PCI standards."
Smaller merchants represent the group that has the most need of education and help in understanding PCI compliance and hacking dangers, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
However, "I've also spoken with merchants with revenues in excess of $100 million whose security infrastructure was badly lacking, and they were blithely ignorant of the risks to which they were exposed," McNelley says.
Small businesses are focused on the day-to-day tasks of running a shop and making it "from payroll to payroll," McNelley says. "Data breaches and cybercrime are often perceived as something that is a risk for the guy down the street, and not part of their day-to-day reality."
Farmer warns that a certain degree of merchant "indifference" toward security exists because of the perceived cost of PCI compliance, or that the cheapest options are the best way "to make it go away."
To that end, regardless of which companies a merchant chooses to form a collaborative team to help with PCI guidance, the costs for protection are not as expensive as a few years ago, Farmer says.
Merchants should expect a monthly cost of about $100 to protect network connections, establish all critical safeguards, and get a PCI timetable and training in place, Farmer says.
The Mako report attempts to dispel various PCI myths such as believing that one vendor or one product can achieve full compliance, or that outsourcing card processing automatically makes the merchant compliant.
"The retailer must still protect cardholder data when it is received, and when processing chargebacks and refunds," the report states.
Mostly, Farmer insists, merchants must get a proper, secure network in place before jeopardizing their business because of a breach.
"People will do something, when something is wrong," he says. "That's usually too late."