Small merchants remain woefully ignorant about card-transaction security, but independent sales organizations can do something about it, according to the industry insiders who completed a recent survey.
Some 53% of small Level 4 merchants have some awareness of the Payment Card Industry data security standards, up only marginally from 47% who did last year, according to the third annual compliance survey of small merchants by ControlScan Inc., a compliance-services provider, and Merchant Warehouse Inc., a large ISO.
The companies based their study report “A Perfect Storm of Complacency” on interviews with 621 Level 4 merchants conducted in August. The majority of respondents, 82%, were micromerchants with one to 10 employees.
The study report is scheduled for release Nov. 4.
The findings indicate risk of financial losses is not motivating smaller merchants to comply with the PCI standards, a sizeable minority of respondents did not believe complying would make them more secure, and the industry has made little progress in increasing standards awareness, the survey results suggest.
Yet small retailers remain at great risk for security breaches, with more than 85% of incidents occurring with Level 4 merchants, Markiyan Malko, PCI security compliance officer and program manager for Boston-based Merchants Warehouse, tells PaymentsSource. Visa Inc. defines Level 4 online merchants as having fewer than 20,000 Visa transactions annually and Level 4 brick-and-mortar merchants as having up to 1 million Visa transactions per year.
Awareness of PCI among merchants with 10 or fewer employees remains shockingly low, according to Heather Varian Foster, vice president of marketing for Alpharetta, Ga.-based ControlScan.
Nearly half (48%) of those smallest merchants remained either “unsure” of the standards or report that they were “not at all” familiar with it, the study indicates. Just 18% of that group called themselves “very” familiar with the standards, the study suggests.
Most of the smallest merchants (57%) lacked documentation to validate the questionnaires they are required to complete to establish PCI compliance, the survey says.
Among the smallest merchants, most lacked a proactive approach to PCI, with more than half saying they did not do anything or buy anything but instead “just completed the paperwork,” according to the study.
So much work remains undone in delivering the PCI message to small merchants, and ISOs and agents can play a key role in disseminating the information.
Agents should begin talking to merchants when signing them up for card-acceptance services, advises Foster. The topic can seem unpleasant, but ISOs and agents must deal with it eventually, and an early start produces the best results, she says.
ISOs should train agents to convey the PCI message to merchants because agents are usually the first and most enduring point of contact within the acquiring industry, Foster says.
Some ISOs are largely ignoring the job of teaching merchants about card security, preferring instead to have retailers take out insurance policies against the losses they might incur if a breach takes place, says Malko. ISOs often mark up the cost of the insurance, which might amount to about $15 per month, and make the proposition a profit center, he says.
Taking out the insurance and failing to make an effort to avoid breaches makes little sense, Malko contends. “It’s like buying car insurance but not having a driver’s license,” he says.
Moreover, breach insurance often proves inadequate coverage, with policies typically covering losses of $25,000 to $100,000, Malko notes. Breached records cost merchants an average of $225, so the theft of data from 1,000 accounts, a fairly modest number, would bring a loss of $225,000, he says.
To head off big losses, Merchant Warehouse targets its educational efforts on merchants most at risk, Malko says.
That type of segmentation makes sense, Foster says, who recommends that ISOs taking that approach still offer help to less-risky merchants.
ISOs can reach out to merchants to provide information through direct-mail and email campaigns and through call-center contacts.
Besides disseminating information, ISOs should make data-encryption products available to merchants to reduce risk, render breaches that do occur less harmful and reduce the burden of complying with PCI, Malko says.
Tokenization, a form of encryption, can reduce the number of questions a merchant must answer to comply with PCI from 288 to about 80, Malko notes.
What do you think about this? Send us your feedback.
