Between tending to tarantulas, looking after lizards and feeding the snakes every night, a mom-and-pop pet shop owner has enough predators to worry about. But there's one that threatens small businesses' very livelihood that often gets overlooked.
Countless cautionary tales have circulated about hackers breaching card-processing systems and stealing credit card information from retailers large and small. But among small merchants, security concerns have not necessarily translated to awareness about the Payment Card Industry data security standards, the primary security guidelines governing how to protect sensitive cardholder data. Even several years after the formation of the first PCI standard, smaller merchants have varying awareness levels about PCI and data security, recent research suggests.
Industry experts place the blame on such unawareness to risk to a lack of education, inconsistent enforcement and an overall attitude of complacency. This puts ISOs in a position to play a hands-on leadership role in educating merchants about PCI, an effort that may prove challenging but could ultimately protect the ISOs from liability in the event of a breach.
ControlScan Inc., an Atlanta-based payments-security firm, and Merchant Warehouse Inc., a Boston-based ISO, in August surveyed 628 so-called Level 4 merchants that annually process fewer than 1 million payment card transactions. Among the respondents, 45% with 10 or fewer employees said they were familiar with the PCI Data Security Standard. By comparison, the rate jumped to 91% for merchants with 51 or more employees.
Although 84% of total respondents placed data security as a high or medium priority, the same percentage considered their risk of a data compromise to be low or nonexistent. Fifteen percent saw themselves at medium risk, and only 1% believed they face a high risk for a breach.
In January, the results of another survey on security practices at small to midsize retailers supported the ControlScan/Merchant Warehouse research findings. In that survey, the National Retail Federation, a Washington, D.C.-based retail trade organization, and First Data Corp., an Atlanta-based processor, polled 651 merchants, most of which had annual sales of less than $100,000.
Among the respondents to that survey, 86% said they care about keeping cardholder information secure and believe payment card data security is important to their business. But almost 64% believed their business is not vulnerable to card data theft.
But expense might be the biggest factor. "It's been very difficult to educate merchants on PCI compliance for one reason and one reason only: There are millions of them out there, and it's very costly for ISOs and (payment) gateways to contact them," says Charles Denyer, managing director of Atlanta-based NDB Accountants & Consultants, which specializes in PCI-compliance issues.
On the flip side, if merchants are not compliant, their ISOs can face fines. "So you're damned if you do and you're damned if you don't," Denyer says.
Education Gaps
Of the 212 small merchants in the ControlScan/Merchant Warehouse survey who admitted noncompliance, 79 said they had not completed the PCI process because they do not understand it. That creates an opportunity for ISOs and banks to lead the education effort, and merchants are not going to get on board without a little handholding along the way, observers say
To obtain compliance, small merchants must complete a self-assessment questionnaire to take inventory of their payments setup. They then must fix any vulnerabilities in their system, which could require the purchase of new payment terminals. They also need to submit regular compliance reports to their acquiring bank and the card brands they accept.
Often merchants need someone familiar with the payments industry to coach them through compliance, either by phone or in person. And ISOs should be there to handle that task, Denyer says.
"Yes, the onus should be on the merchant, but the ISO or processor has a fiduciary responsibility to provide some education," he says.
Some ISOs believe part of why merchants do not understand their PCI obligations is because the compliance standards are inconsistent, and the language used in the compliance paperwork and in other PCI materials is not written in business-friendly terms.
"The questionnaire is a joke. I don't think it's user friendly, and nobody understands the questions they ask the merchants. I don't think the [self-assessment questionnaire] is written in plain English," says Darrell Story, president of MyCreditCardAgent.com, a merchant services firm based in Harker Heights, Texas.
ISOs have directed their criticisms at the PCI Security Standards Council, the body consisting of payments-industry representatives that sets the compliance standards, for giving merchants unclear guidance on how to comply.
The council developed the data- security standard in 2006. Five global payment brands founded the council and developed the standard, including American Express Co., Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
However, it is up to the payment brands, not the council, to enforce compliance and issue penalties.
The council is aware of the problem and is working to address it. "The majority of that feedback was basically on clarity," says Bob Russo, council general manager.
The council made its most recent standards updates in October and has revamped its website with updated training guides, glossaries and other streamlined features designed to be more user friendly. A new section of the site is geared toward small merchants, spelling out the steps they need to take to achieve compliance.
'Lax' Enforcement
Some ISOs and others in the field would like the card brands to be more consistent with their enforcement of PCI standards. They say spotty regulation has lowered compliance rates among small merchants.
"They're not enforcing (the standards), and it just gives a bad name for the entire industry," Story says.
In the ControlScan/Merchant Warehouse survey, 50% of the respondents believed compliance is mandatory for their businesses. The other half said compliance is "optional" or "neither mandatory nor optional," or was "unsure" of its status in relation to their businesses.
Despite the imposition of having to pay breach-recovery costs and penalties required by the card brands, many small merchants are unconvinced about the effects of noncompliance, observers say.
"The enforcement is a joke. It's so lax for these small merchants," Denyer says. "What are they going to do? Call out the PCI-compliance police?"
ISOs admit that some of their peers are making the enforcement situation worse by setting a bad example for merchants.
"You have some ISOs that tell merchants that this PCI stuff is a big hoax, and they're just ripping you off by charging an extra fee each month. And you have others that play by the rules," Story says.
And the confusing aspect of the PCI rules is still no reason for ISOs to break them, Story says.
"They should play by the rules the PCI Council has set up, even though they keep changing them," he says. "They should talk about how important they are to follow instead of saying it's a bunch of bull."
Critics of the enforcement efforts believe stricter regulations would improve compliance rates and that inconsistencies cause small merchants to expect few immediate consequences from noncompliance.
Some industry experts suggest mandatory training for merchants when they obtain a merchant ID account.
"If you did that, without question you'd have 100% compliance. It's like a driver's license. If you don't pass the vision test, you don't get a license," Denyer says.
Although PCI compliance is not a federal law, enforcement is gaining traction at the state level. Massachusetts, Minnesota and Nevada have made PCI compliance the law, while California and Texas are considering similar legislation.
Merchant Awareness Growing
Mirroring the results of the ControlScan/Merchant Warehouse survey, ISOs interviewed for this story reported mixed awareness about PCI among the merchants they solicit.
More small merchants seemed to gain awareness about payment security in the second half of 2010, Cohen says. "Some are already compliant, and that's been a shock," he says.
Story, however, has found the opposite to be true.
"Most brand new merchants are pretty clueless about the whole Visa/MasterCard industry in general, so security is the last thing from their minds," he says, referring to the fact that those merchants are still new to accepting credit cards.
At minimum, merchants are becoming more cognizant of the risks that come with haphazard payment processing, Russo says.
"There's an education issue. There's no question about that," Russo says. "But based on what we're seeing and based on things like breach-notification laws, I don't think you'll find a small merchant anywhere who isn't aware of the fact that there's a security crisis going on."
PCI awareness may be spreading to the general public, too. Books, websites and other resources on compliance that were not available just two years ago are easier to find today.
The burden for PCI-compliance education should rest with all the involved parties, including merchants, ISOs and the acquiring banks, Russo says.
"Everybody along this chain has this shared responsibility," Russo says.
That responsibility includes not losing sight of the real meaning behind the security standards, he says.
"The biggest thing merchants are forgetting is this is not about compliance; it's about security," Russo says.
That is the danger in letting PCI compliance get lost in the daily rigors of running a mom-and-pop shop, he says. It can be easy for a small-business owner to view PCI requirements as just another set of tasks to add to a seemingly endless to-do list. But besides the cost headaches, a data breach can result in disastrous public relations for a small business-especially if customers suspect mom and pop were not protecting their credit card information.
"If they do find out, there's a possibility they may not shop with you again," Russo says. "And there goes your business."
