Compliance with Payment Card Industry data-security standards is a top concern among smaller merchants, but many remain unaware of the scope of their potential liability regarding data breaches and are unclear on specific requirements, new survey data released Jan. 12 suggest.
The National Retail Federation and First Data Corp. conducted the online survey of 651 smaller U.S. merchants between Oct. 26 and Nov. 19 to determine their PCI awareness and basic compliance. Each merchant had annual sales of less than $100,000.
Most respondents, 86%, said they cared about keeping their customers’ card information secure, and they felt payment card data security is important to their business. But 64% believe their business is not vulnerable to credit or debit card data theft.
More than 60% of respondents said they were unaware of the potential cost of a data breach or the fact that card networks are authorized to levy a fee on merchants for each card a credit card issuer must reissue if the network determines the merchant is the source of a breach.
Little Self Assessment
Two-thirds of respondents said they were aware of the PCI data-security standards, but at the time of the survey only 49% had completed the annual data security self-assessment compliance requires. Among respondents aware of the PCI data-security standards, 42% said they did not know merchants are required to perform such self-assessments annually.
Some 41% of respondents had not yet heard of the updated recommendations to the PCI standards announced in May.
Top methods respondents use to protect cardholder data included restricting access to cardholder data and using antivirus software (76%), developing and maintaining secure systems and applications (64%), and maintaining a cardholder data information-security policy (63%).
Among respondents whose companies store cardholder data electronically, 68% “take steps” to protect that data, and 53% use encryption technology.
Some 4% of respondents said their companies have been a victimized by some type of cardholder-related fraud. The top fraud types respondents noted were physical theft and tampering with terminals (37%), and computer viruses or malware (22%). Employee misuse or theft accounted for another 17% of incidents, respondents said.
Respondents seem to take cardholder-data security “very seriously,” Mark Herrington, First Data senior vice president of global product management and innovation, said in a press release. It is “intriguing” that many companies remain unaware of their potential liability in case of a data breach, he noted.
“We’re confident that continued education in the payments industry will raise awareness of the importance of annual self-
assessments and the right mix of data-security and fraud-prevention tools,” Herrington said.
