While 66% of respondents were aware of the PCI DSS, 42% did not know that merchants that process credit card payments are obligated to conduct the self-assessment annually, the survey found.
A total of 651 small and mid-sized merchants completed the survey. The majority had less than $500,000 annually in credit card sales.
“Only about half of the merchants surveyed are PCI compliant. I think that was the biggest takeaway from the survey”, Tim Horton, vice president of merchant product management at First Data, told Infosecurity.
The survey also found confusion among retailers regarding the liability costs in the event of credit card data breach. More than 60% of respondents did not realize that credit card companies are authorized to fine retailers a per-card fee for every card that has to be canceled if it is determined that the retailers are the source of the data breach.
“Most credit card processors are charging their merchants if they are not PCI compliant. That is a cost…There are also costs associated with data breaches”, Horton said.
According to a survey by the Ponemon Institute, the average cost of a data breach for a merchant is $6.7 million, with a cost per customer record breached estimated at $204. For a small merchant, one breach could cost tens of thousands of dollars, which could put them out of business, Horton warned.
“Small businesses are overwhelmed by the burden associated with securing card data. Most small business owners are not aware of the responsibilities they have in taking card data, and probably wouldn’t even know where to start when it comes to protecting themselves and their customers from data breaches”, said Rob McMillon, director of solutions development at RSA’s merchant services division.
First Data and RSA have teamed to develop a product called TransArmor, which replaces card data with a token number that preserves the value of the card data for merchant but removes the value for criminals. This process is called tokenization, and the PCI Security Standards Council is currently developing guidance for it.
McMillon told Infosecurity that he was concerned that only half of merchants surveyed were PCI compliant. “You have merchants taking credit card data as a form of payment and not recognizing the potential risk of holding on to that card data even for a short time….Increasingly, bad guys are attacking merchants because they are a consolidation point for lots of card numbers.”
More than 4% of respondents reported having been a victim of at least one type of credit card fraud, according to the survey. The latest federal data estimates there are approximately 24.6 million small businesses currently operating in the US, so 4% is close to one million small businesses.
Physical theft or tampering with terminals and computer viruses, including malware, were the top two fraud and security incidents experienced by respondents at 37% and 22%, respectively. Employee misuse or theft of card data accounted for another 17% of incidents, the survey found.