IMGCAP(1)]
This article appears in the August 13, 2009, edition of ISO&Agent Weekly.
Small merchants primarily look to their banks, acquirers and merchant-service providers for information on compliance with industry data-security regulations, according to a small-merchant study released Monday by ControlScan Inc., the National Retail Federation and PCI Knowledge Base LLC.
Being a merchant's source of security information is a "huge opportunity" for ISOs and acquirers that can use security education as a way to distinguish themselves from competitors and offer additional value to clients, says Heather Foster, vice president of marketing at ControlScan Inc., an Atlanta-based data-security support company.
Many study respondents, 35%, consult with their merchant banks to learn about data security and compliance with the Payment Card Industry Data Security Standard, according to the report "What Small Merchants Know (and Don't Know) about PCI Compliance." Respondents also consult with their equipment or payment-service providers (30%), their hosting providers (29%), industry publications (25%), in-house security experts (25%) and industry consultants (24%). Respondents could choose multiple answers.
In speaking with merchants about compliance with the PCI Data Security Standard, "it's important for ISOs to not suggest that" merchants will be completely secure if they complete a self-assessment form or use updated security measures, says David Taylor, founder of PCI Knowledge Base, a Highland Village, Texas-based data-security research company. ISOs "need to tell merchant members to be compliant but should not suggest they will be secure," he says.
The National Retail Federation, a Washington, D.C.-based retail-advocacy group, ControlScan and PCI Knowledge Base conducted the online merchant survey in July. Roughly one-half of the 220 merchant respondents process fewer than 100,000 card transactions annually.
Education Necessary
While many small merchants are familiar with the Payment Card Industry Data Security Standard, many also experience frustration complying with regulations and have low concern about data risk, according to the study.
Most merchants, 86%, are "very" to "somewhat" familiar with the PCI Data Security Standard. However, only 62% of respondents are validated as PCI-compliant, according to the report.
Of the 29% who are not yet compliant, 44% are working to become
compliant, 26% do not have the financial or technical resources to become compliant, and 19% do not understand the standard, according to the report.
Nine percent of respondent are unsure if they have been validated as PCI compliant.
Compliance with the standard is "moderate" among small merchants, a Visa Inc. representative confirmed to ISO&Agent Weekly in late July. Visa categorizes merchants that process fewer than 1 million Visa transactions
annually as "Level 4."
Most merchants may have heard about PCI compliance, but "they probably will do the bare minimum—nothing—until someone tells them to do more," says Taylor.
Additionally, most merchant respondents, 65%, believe their businesses most likely never will suffer a data breach. Twenty-six percent feel a reasonable chance of a breach exists, and 7% believe a breach is not possible. Only 2% believe a breach is imminent.
Many merchants "do not find themselves vulnerable [to data breaches], which is shocking," says Foster.
Some of merchants' lack of data-security concern comes from misunderstanding how fraudsters operate, says Taylor.
Many merchants do not understand that some fraudsters use automated attack methods, such as botnets, to find and access card data, he says. A botnet is software that runs automatically and often is malicious. "The best thing to do is explain to small businesses that just because they are small does not mean anything. It's an automated attack," Taylor says.
Larger organizations do a better job of securing their card data, notes Taylor, using an urban apartment complex as an example. If some tenants keep their units clean and spray for pests, the pests likely will migrate to units in which it is easy for them to survive. Similarly, if large organizations maintain good data-security practices, the hackers will "search for servers with known vulnerabilities, and they will wind up hacking into small-business servers. They are the least protected," he says.
The Payment Card Industry Security Standards Council is working to meet the education needs of small merchants, says Troy Leach, technical director of the Wakefield, Mass.-based organization that oversees the PCI standard.
The council is consulting with acquirers, ISOs and small merchants "to create resources that help these entities secure their own cardholder data environment," says Leach.
And ISOs that provide PCI educational materials and other PCI services may consider charging for them, something ISOs should evaluate closely , notes Taylor.
Choose Fees Wisely
Many merchant-service providers are contemplating how to earn revenue from merchant data security, and some are considering issuing fines for noncompliance to merchants, he says, noting that providers "could do better than trying to turn PCI into profit."
ISOs focusing solely on PCI revenue opportunities are jeopardizing their merchant-retention rates and the security of their portfolios, Taylor says. "ISOs can make money in the near term in issuing fines, but it is a better plan" to focus on fees for providing education services, he says.
Merchants may become angry about a PCI-related fee or fine if they feel they are not gaining anything for the funds they are paying, agrees Foster.
James Taylor, vice president of alliances at Trustwave, a Chicago-based data-security company, believes ISOs and acquirers should avoid fees pertaining to PCI compliance that do not benefit merchants. Any fee related to data security "must provide value" to merchants, he said last month at the Midwest Acquirers Association conference in Lombard, Ill.
