Wednesday, November 3, 2010
According to the just released Diversity Reigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends by ControlScan Inc. and Merchant Warehouse, merchant size is a dominant factor in how merchants perceive data security as it relates to the Payment Card Industry (PCI) Data Security Standard (DSS). The Level 4 classification includes merchants who process fewer than 20,000 e-commerce transactions or up to 1 million electronic transactions annually.
The survey found that among Level 4 micro-merchants with fewer than 10 employees who process up to 250,000 transactions annually, a majority said "completing the paperwork" was the extent of their compliance. Also, 41 percent of brick-and-mortar merchants placed a "high priority" on data security compared to 61 percent of e-commerce retailers.
Among the e-commerce merchants surveyed, 60 percent said they were familiar with the PCI DSS, compared to 37 percent of brick-and-mortar retailers. The U.S. Census Bureau estimates that of all U.S. companies with employees, over 60 percent have fewer than 10 employees. At the other end of the spectrum, Level 4 merchants with 51 or more employees, 91 percent said they were familiar with the PCI DSS; 83 percent viewed being in compliance with it as mandatory.
"What I think is most interesting about this, and what we tell ISOs and acquirers, is that these Level 4 merchants are all in this gigantic group, and everybody is just trying to get their PCI compliance programs going now," said Heather Varian Foster, Vice President of Marketing for ControlScan. "But what the study shows us is that we can't look at them all in the same way."
Foster recommended that ISOs and acquirers tailor their approach: some merchants will require more education and hands-on assistance, especially micro-merchant, mom-and-pop stores. "By segmenting their portfolios, ISOs and acquirers can make sure the people that need the most attention get it," she added.
When queried as to the degree of risk data compromises pose to their businesses, "84 percent of the Level 4 merchants said they don't think it's going to happen to them," said Markiyan Malko, PCI Security Compliance Officer and Program Manager at Merchant Warehouse. "About 85 percent of all breaches occur to Level 4 merchants, so they're the ones the hackers are going after or have employees that do something that is not legal.
"We have to educate them and let them know that they are a target. The merchants that have already done the work and are compliant, because Visa went after them first, are the harder targets now for hackers, so they're going for the easy ones. There are more ISOs and acquirers mandating PCI programs for their merchants, so they're starting to hear more about it. I think that will definitely help generate awareness."
New micro-merchants need immediate PCI education as well, noted Marianne Rocco, Marketing Director for Merchant Warehouse. "It makes sense for us to really make an outreach to these merchants to keep them as compliant and knowledgeable as possible," she said. "They need to view it not as a one-time event, but make it a lifestyle, so they're truly trying to make their businesses more secure."
Foster believes merchant-ISO relationships will be strengthened by those who offer the resources necessary to guide merchants through PCI compliance, whether it's a phone call when the merchant is completing the online questionnaire or follow-up calls to assure ongoing compliance requirements are being met. To access a copy of the study findings, visit www.controlscan.com/whitepapers/merchant_study_2010.php .
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.