Subscribe to eSecurity Diva
 Subscribe via RSS Feed


 

« What Happens in Vegas Will Be Everyone’s Business…If You’re a Retailer | Main | Focus on Security…and PCI Compliance Will Follow »

August 10, 2009

Study: Merchants Need Better Guidance on Security

If your store was breached, could you prove you were PCI compliant?

In a new survey, 45 percent of small merchants who claimed to be PCI compliant said they did not have the documentation to support their Self Assessment Questionnaires. This key statistic indicates that many merchants are just “going through the motions” when it comes to becoming compliant with PCI guidelines.

Thankfully, the majority of these polled merchants were aware that PCI compliance was of value in securing customer data. In addition, 88 percent of them said they viewed data security as a “high” or “medium” priority.

The report, sponsored by my company, ControlScan, as well as the National Retail Federation and the PCI Knowledge Base, outlines some surprising facts about small merchants’ attitudes toward data security and provides recommended solutions to this crucial issue.

A key implication of the report: Acquirers, ISOs and other providers serving the retail industry need to exercise more leadership and better guide merchants along the path to PCI compliance.

Teacher-doris-day Why do these players need to do more? More than half of the 220 polled merchants said they depend on their merchant banks and point-of-sale or payment-application vendors for this knowledge. Also, while awareness of the PCI standard is high among small merchants, the level of understanding about PCI and how to comply is not. Of the merchants who said they were not PCI compliant, the reasons cited included “don’t understand it”, “don’t have the resources” and compliance is “too hard.”

Most merchants want to be more secure and PCI compliant, but they are confused about how to go about doing it.

But don’t just take my word.

“We want to comply,” one survey taker said, “but we’re not IT gurus. Please educate us and make it clear what we need to do.”

So…here are a couple of things ISOs and acquirers can do—now—to help merchants protect credit card data:

  • Loose the jargon! Explain to merchants in an easy-to-understand manner how to be more secure. Get tactical, provide the specific guidance small merchants need.
  • Educate them on the very real risks of non compliance. Things like, 85 percent of all breaches occur at small businesses. And that fines can reach up to $25,000 monthly until compliance is achieved.

You can read the full report, “What Small Merchants Know (and Don’t Know) about PCI Compliance”, here.

I’ve said this before. No measures will completely eliminate the threat of hackers. As long as there is money to be had, hackers will always be there. Waiting. Scheming. Evolving.

Further, we all know PCI compliance is not perfect. But I firmly believe that if we all work a little harder—as a team—data security can improve substantially.

'Till Next Time,

Joan

The eSecurityDiva

Posted at 07:00 AM in PCI Issues |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e551f086aa88330120a4d40d2f970b

Listed below are links to weblogs that reference Study: Merchants Need Better Guidance on Security:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment