Security: It’s More than a Requirement. It’s a Responsibility.

Ninety-eight percent (98%) of all U.S. retailers are classified as Level 4 merchants. As defined by Visa, Level 4 merchants are those that process 20,000 Visa ecommerce transactions annually or, for brick and mortar, up to one (1) million Visa transactions annually. And, this group, primarily comprised of small to mid-sized businesses (SMBs), numbers in the millions.

As a leading provider of merchant services, our organization provides credit card processing to a large number of SMBs in this group. Typically focused on price and service, Level 4 merchants look to us for fair processing rates, innovative payment technologies, and education and support tools to help them manage their respective businesses. A key focus area in the latter is security, primarily PCI compliance.

PCI compliance is a standard set forth by the PCI Security Standards Council™, and the specific requirements vary according to the type of business and individual operating practice. The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of data security measures. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. At the highest-level PCI DSS encompasses the following core activities:

  • Build and maintain a secure network and systems
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

Sadly, for the vast majority of Level 4 merchants, PCI compliance is viewed as simple a ‘check box’ and not an ongoing business management activity. Many simply complete the self-assessment questionnaire and then consider their business compliant. And, while many are aware of the PCI compliance requirements for their business, they take no action at all. Why, you may ask?

Earlier this fall, in partnership with ControlScan, we surveyed over 600 Level4 merchants specifically focused on the topic of Payment Security and the SMB. The survey, now in its fifth year, uncovered some interesting learnings.

SMB retailers are starting to realize the importance of security and compliance

  • Nearly 75% of survey respondents believe complying with PCI standards improves the security of their business
  • Merchants that recognize compliance as important grew substantially, from 50% in 2012 to 70% in 2013
  • But 26% still believe the PCI standard should not apply to their business

SMBs don’t have a designated individual in charge of information security

  • 43% of respondents are personally responsible for information security in their organization, while 35% say no one is assigned the responsibility

SMBs are not prepared, should a breach occur

  • 71% think they are at little to no risk for data compromise
  • Only 36% have developed an incident response plan (IRP) for their business

SMB retailers think PCI DSS should be prioritized, but...

  • 27% are “not at all” familiar with PCI DSS
  • 33% haven’t completed their PCI compliance validation because they don’t recognize it as a priority
  • 48% spent less than 8 hours on compliance last year and less than $500 on it

These are just a few of the staggering statistics. Even with marginal improvement in awareness and validation completion, the majority of Level 4 merchants are missing the real crux of the PCI standard – security. It’s about so much more than a fee and completing a self-assessment questionnaire, it’s about protecting sensitive customer data and running an efficient and well-protected business.

Merchants – regardless of their size or business – should not take security lightly. Even though we typically only here of the major breaches that occur, the reality is that 95 percent of breaches that occur are on SMB customers. In the end, it is about protecting customer data, and the SMB itself, as a single breach could very well put a SMB out of business if they’re not protected.