The survey was conducted by compliance vendor ControlScan, the National Retail Federation and the PCI Knowledge Base. Released Monday, it tallied the responses of 220 small businesses, classified as those merchants processing 20,000 or fewer Visa e-commerce transactions each year. It found that though 83 percent of small businesses are familiar with PCI DSS, only 62 percent are compliant.
Some respondents said the standards should be refined so they are more easily understood by less technical retailers. Others said they would like to see the PCI Security Standards Council, which administers the guidelines, offer more help to small businesses.
Millions of organizations qualify as small merchants, Ben Rothke, senior security consultant with British Telecom Professional Services and a PCI-qualified security assessor, told SCMagazineUS.com on Tuesday.
“Everyone thinks it's the Amazons and the eBays and the Walmarts, but it's the chiropractors and delis of the world are that are targets also,” he said.
Troy Leach, technical director of the PCI Council, told SCMagazineUS.com in an email Tuesday that the group is working with small businesses to create resources to help them secure their own cardholder data environment.
“The survey findings regarding the high awareness of the PCI DSS among small retailers illustrates that there is a need for a tailored approach to meeting the education requirements of small merchants,” Leach said.
Additionally, in the survey, 65 percent of respondents said they were at a low risk of facing a data breach and seven percent said it was not possible. Rothke said small businesses might perceive themselves as being safe from a data-loss incident because they have never conducted a risk assessment.
“For a lot of attackers, they just want to get in and out quickly, and if a merchant can make them a little more difficult to get into, they are less likely to be a victim,” he said.
In the survey, 80 percent of respondents said they believe that PCI compliance makes them more secure. Rothke said that though it is impossible to create a standard that guarantees security, PCI does necessitate baseline controls.
“The PCI DSS has done a tremendous amount to increase security,” Greg Pesci, executive vice president of business development of the credit card processor ProPay told SCMagazineUS.com on Wednesday. “We see it as an important and essential foundation but it needs to be part of a larger security and risk posture of an organization.”