Small and medium-sized merchants often lack the technology to store card data safely, which is why 70% of them fail to meet data security requirements, a new report says.
SecurityMetrics, an Orem, Utah-based payments security consultant, says merchants lack the proper technology because their merchant processors are not providing it.
Two-thirds of merchants don’t comply with Payment Card Industry data security standards because “they store unencrypted credit card data and lack sufficient technology to eliminate sensitive information,” the company says in its Payment Card Threat Report.
The issue even affects merchants that have upgraded from outdated point-of-sale systems, says Chris Taylor, SecurityMetrics’ manager of channel marketing.
“The most cutting-edge payment processing solution can create significant security vulnerabilities when incorrectly configured,” Taylor says. “The real problem is that most merchants — and acquirers for that matter — fail to implement security tools and protocols that would identify and remediate these vulnerabilities.”
SecurityMetrics, a qualified security assessor for the Payment Card Industry security standards, claims more than 80% of merchants would prefer to cover their business with a program that includes prevention technology and financial stability tools in the event of a breach. However, many merchant processors do not provide that protection, the company says.
The 2012 Payment Card Threat Report sampled more than 2,700 e-commerce and brick-and-mortar merchants of varying sizes, Taylor says. The number of merchants storing unencrypted data, at 70.92%, has not varied much since 2011, declining by less than a half-percent for 2012, Taylor says.
“PCI is a major safeguard against data compromise, but it isn’t the only one,” Taylor says. “PAN [personal account number] data detection tools are a great example of a valuable security solution.”
When acquirers and merchants pair those tools with PCI, the industry will see its biggest reduction in risk, he predicts.
The shortcomings in data protection can be pinned to both merchants and processors, says Julie Conroy, senior analyst with Boston-based Aite Group.
“Some merchants want to use a new [fraud protection] product, but the processor doesn’t support it because the merchant is on an old platform,” Conroy says. “The technology is out there and available with all of these processors, but some merchants don’t want to spend the money to upgrade an old platform.”
Merchants view their systems as capable of basic payments, “so they don’t see a need to change it,” Conroy adds.
Many merchants cling to their payment terminals “because they don’t break and they last forever,” says security consultant and PCI expert Walter Conway of Milwaukee-based 403 Labs LLC.
“I think Jimmy Carter was president when these merchants got these things,” Conway says of the systems he has seen. “So I completely agree that merchant providers should be checking the PCI website to learn about compliant technology.”
Outdated PIN pads are as big a problem as outdated point-of-sale terminals or old software, Conway says. “You have to have compliant PIN entry devices.”
However, merchants should make sure equipment they buy meets EMV standards and can accept Near Field Communication contactless payments, Conway says.
“Some merchant acquirers or ISOs may be trying to sell some older stuff to clear it off their shelves, but you don’t want to buy something you’ll have to replace in a couple of years,” Conway says, referring to the October 2015 card networks’ deadline for merchant EMV compliance.
Merchants should regard payments system as they do any other technology, Taylor says.
“Do you still have the same computer you did 15 years ago?” Taylor asks. “How old is your cell phone?”