A payment processor is offering very small merchants a portable credit card acceptance device that includes encryption capabilities, a feature that is rarely used today even at the biggest retailers.

ProPay Inc. of Lehi, Utah, serves the smallest merchants, such as artists who peddle their wares at craft fairs. These merchants are typically classified as "level 4" by the major card companies, the lowest classification based on payment volume, and are held to different auditing requirements than larger merchants.

The small merchants tend to be far less concerned than large retailers about card security, focusing instead on their more immediate business concerns. This makes them a tough sell for the latest in security technology, but ProPay said that bundling encryption with convenience will win them over — especially since their alternative is often writing customers' card numbers on a piece of paper.

"There are those that are paying attention" to the industry's push for card security "and that are moving forward to solve it, and there are those that are in denial and maybe in ignorance," said Bryce Thacker, ProPay's executive vice president of sales and marketing.

The latter group is "so focused on survival" that it has turned a blind eye to data security concerns, Thacker said. ProPay's approach to this segment has been to bundle security into a payment device that he said also increases sales volume by 5% among those who use it.

Data that the National Retail Federation published last week supports Thacker's characterization of his clients' attitudes. The trade association said that in a survey of 220 small merchants, most knew about the Payment Card Industry data security standard, the set of rules that describes how to keep card data secure, but 72% said their risk of exposing data was low or nonexistent.

The association said this view stems in part from the fact that such retailers have little control over their payment systems, and typically rely on their vendors to handle security. Even Visa Inc. has said it takes a different approach to promoting security issues to its level-4 merchants, because they have less control over their technology.

Several processors have been promoting the idea of end-to-end encryption this year, notably Heartland Payment Systems Inc., which has said that a major breach of its network could have been mitigated if account data had been encrypted at the point of sale.

ProPay began offering its portable MicroSecure card reader last year, but Thacker said the company has seen increased interest recently thanks to the ongoing debate over whether and how to implement end-to-end encryption.

The MicroSecure card reader, which is manufactured by MagTek Inc., encrypts transaction data as cards are swiped and can store details on up to 71 purchases. Users must hook the device to computers to download and process the payments.

Previously, ProPay's clients that sold their products on the road would take "credit card information and write it down on the order form … and we never knew what was going on with that data," Thacker said. In at least one case, the merchant lost the data before leaving the site of a sales meeting.

"One of the problems that we've had is after a given session where orders have been taken and information has been written down, an independent sales rep will put them on top of his or her car, be putting things in and the wind comes and blows them hither and yon," Thacker said.

A bigger concern with merchants is losing sales, such as when they cannot read the handwriting of the person who filled out an order form, or because filling out forms seems unprofessional to potential customers, Thacker said.

"What we're finding is people are much more comfortable seeing" their card data "go into the card reader than having it written down," he said.

ProPay has also offered encryption for orders taken online or by phone for six months, and has used encryption internally for the past year. In other channels, adding encryption changes nothing about the appearance of the purchasing process, Thacker said.

Avivah Litan, a vice president and distinguished analyst at Gartner Inc., a market research firm in Stamford, Conn., market research company said small merchants tend to have more security problems than they realize.

"The volume of attacks against small merchants is higher than attacks against large merchants because they're pretty easy prey," she said.

ProPay's approach to this problem "is a really good solution," she said. "I was pretty impressed with them, that they offer small businesses a secure solution, where the small business looks at it as convenience and professionalism but it's also very secure."

Litan agreed that this need is strongest where the merchant doesn't have a stable retail presence. "Right now if a small business is going to the fairground trying to collect money for their horse and buggy rides, they're not going to bother securing their credit card data," she said. "They'll just take it and write it down and the papers could fly off into never-never land."

Even large merchants that occasionally take payments outside of a traditional retail environment could benefit from such products, Litan said, though for them it is a harder sell because encryption methods vary by processor. Signing up for one method makes it harder to switch vendors down the road, she said, but this is less of a concern for smaller merchants that rarely re-evaluate their vendor relationships.

Indeed, for smaller merchants, ProPay's approach is probably their best option, Litan said.

"The only thing you can do with [small] merchants is sell them terminals," she said, and though several hardware manufacturers have been responding to his need, "there's nothing else really happening."