Relatively few small merchants comply with the Payment Card Industry data security standards, and many are unaware the standards even exist, according to security executives.
"I would be shocked if 75% of Level 4 merchants could tell you what the acronym PCI means," said Wenlock Free, the vice president of business development at SecurityMetrics Inc., a Salt Lake City provider of PCI security products and services.
Visa Inc. defines Level 4 merchants as those that process less than 1 million Visa transactions annually; the San Francisco payments company said PCI compliance among Level 4 merchants was "moderate," at June 30.
Not all merchants are "aware of PCI compliance," agreed Jim Anderson, the chief executive of Electronic Commerce International Inc., a Las Vegas independent sales organization. "We have had to instruct some clients to Google it."
Part of the problem is small merchants' overall lack of data security awareness, said Doug Klotnia, the general manager of the compliance division at Trustwave, a Chicago security company.
"Most don't know what data they store or don't store," he said. "There's a lack of understanding of the payment process and a lack of understanding that small merchants are being breached."