More small merchants are starting to comply with the Payment Card Industry security standards, which describe how to protect card data, but many merchants still do not have an incident response plan in case of a data breach.
The percentage of merchants validating compliance increased to 70% in 2013, up from 50% last year, according to the annual ControlScan and Merchant Warehouse small business security survey.
The companies surveyed 615 small, or Level 4, merchants in the study that helps independent sales organizations, acquirers and merchant service providers address security issues for their clients.
Illustrating that security education remains a key issue for small merchants, 71% of those surveyed said they were at little or no risk of a data breach, while 64% revealed they had no formal incident response plan in place.
Yet, 40% of the merchants say that complying with PCI data security standards makes them "much more secure," compared to 28% who disagree.
"It's always a little bit of a mixed bag," with good news and bad news in the survey, says Heather Foster, vice president of marketing for Atlanta-based ControlScan. "We take the areas of progress and try to leverage them into conversations, while attempting to make other areas much more clear," Foster adds.
The survey threw up a couple of other red flags, in noting that nearly half of the merchants have spent less than eight hours in the last year conducting compliance and security related activities, while 36% said they did nothing PCI related other than "completing the paperwork."
The PCI Security Council revealed new standards last week that emphasize ingraining compliance awareness as part of a daily routine at a business.
"Level 4 merchants are still challenged with awareness, but the survey goes deeper than that in trying to determine what security means for a small merchant," says Jenn Reichenbacher, senior director of marketing for Boston-based Merchant Warehouse.
For many merchants, security and PCI compliance represent "another line item on the merchant statement, another fee," Reichenbacher says.
It is the task of security vendors and merchant service providers to make small merchants aware of the risks and to incorporate security as an ongoing business strategy that becomes part of daily business activities, she adds.
Lack of time and expertise in dealing with security technology, and even the flood of new payments technology, remain major problems for small businesses, Reichenbacher says.
"We have to look at security separate from the evolution of the payments ecosystem and mobile card acceptance at the point of sale," Reichenbacher adds.
The survey results confirm that lack of time and manpower that small businesses often face when dealing with security issues remain trouble spots. Of those surveyed, 43% say they were "personally responsible for data security," and two-thirds of those were the president or CEO of the small business. Another 35% say that no one at the business is assigned responsibility for data security, and that number jumps to 45% when narrowed to brick-and-mortar merchants.
Of those surveyed, 43% were brick-and-mortar retailers, 20% were e-commerce merchants, and 37% were mail-order or telephone-order companies. Twelve percent earned revenue of less than $100,000 annually, while 35% were at more than $1 million annually, with all other merchants falling between those two categories.
The lack of focus on security goes even deeper when considering that 51% say they do not require their third-party service providers to achieve and maintain PCI compliance. While 36% of the merchants have taken the time to create an incident response plan, less than half of those take the time to review and test it regularly.
The survey confirmed much of what ControlScan thought was occurring among small merchants, Foster says.
"There is a lot to think about when looking at the survey results, but the reality is that a lot of the smaller merchants are not aware of PCI and the new standards," Foster adds.
Reichenbacher says anytime the PCI council publishes new standards it creates an opportunity for service providers to help merchants "down the path to compliance."
Foster agrees. "We have to help them understand what PCI is looking for and why they need to do it," Foster says. "They need to know where they are most vulnerable."
The majority of the businesses surveyed, at 82%, have been in business five or more years, meaning they have been around long enough to hear about PCI compliance.