Compliance with Payment Card Industry data security standards is a top concern among smaller merchants, but many remain unaware of the scope of their potential liability regarding data breaches and are unclear about specific requirements.
The National Retail Federation and First Data Corp. conducted an online survey of 651 smaller U.S. merchants from Oct. 26 to Nov. 19 to gauge their PCI awareness and basic compliance, the companies said Jan. 12. Each merchant had annual sales of less than $100,000.
Most respondents, 86%, said that they cared about keeping their customers' card information secure and that payment card data security is important to their business. But 64% said they believe their business is not vulnerable to credit or debit card data theft.
More than 60% said they were unaware of the potential cost of a data breach or the fact that card networks are authorized to levy a fee on merchants for each card a credit card issuer must reissue if the network determines the merchant is the source of a breach. Two-thirds said they were aware of the PCI data security standards, but at the time of the survey only 49% had completed the annual data security self-assessment compliance requires. Among respondents aware of the PCI data security standards, 42% said they did not know merchants are required to perform such self-assessments annually.
Forty-one percent of respondents had not yet heard of the updated recommendations to the PCI standards announced in May.
Top methods respondents use to protect cardholder data included restricting access to cardholder data and using antivirus software (76%), developing and maintaining secure systems and applications (64%) and maintaining a cardholder data information security policy (63%). Among respondents whose companies store cardholder data electronically, 68% "take steps" to protect that data and 53% use encryption technology.
Four percent of respondents said their companies have been victimized by some type of cardholder-related fraud.
The top fraud types respondents listed were physical theft and tampering with terminals (37%) and computer viruses or malware (22%). Employee misuse or theft accounted for another 17% of incidents, respondents said.
Respondents seemed to take cardholder-data security "very seriously," Mark Herrington, First Data's senior vice president of global product management and innovation, said in a press release. It is "intriguing" that many companies remain unaware of their potential liability in case of a data breach, he said. "We're confident that continued education in the payments industry will raise awareness of the importance of annual self-assessments and the right mix of data security and fraud prevention tools," Herrington said.
Cisco Systems Inc. conducted an online survey of 500 information technology professionals at companies with at least 100 employees from Nov. 23 to Dec. 1.
First Data is a unit of the private-equity firm Kohlberg Kravis Roberts & Co.
