Trustwave said that small merchants have been slow to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). “The big constraints [on small merchants] are time and money”, said Greg Rosenberg, qualified security assessor at Trustwave.
One of the findings that surprised Rosenberg in the study, Payment Card Trends and Risks for Small Merchants, was the relatively short amount of time it takes for merchants to achieve their initial PCI DSS compliance. “About 82% of all of the merchants we dealt with…were able to complete PCI DSS compliance in under 12 hours”, he told Infosecurity.
Another finding that stood out for Rosenberg was that areas where small merchants are often deficient in terms of PCI DSS compliance are not expensive to fix. “These were things like having proper policies and procedures in place and security awareness training; these are low cost items that can be relatively easy to institute”, he said.
Smaller merchants tend to rely on their acquirer or independent sales organization (ISO) to initiate PCI DSS compliance validation. Without directive or enforcement of such initiatives, many will forgo basic steps to protect their networks and their customers’ cardholder data because they feel they do not have the time or the proper resources, or they’re just not aware of the requirement, the survey found.
These institutions, often referred to as the program sponsors, help enforce compliance, mitigate risk and in turn, provide a security benefit for the merchant, as well as the greater population by helping to combat data security threats.
The report, which was a supplement to Trustwave’s 2011 Global Security Report, also found that two groups – food and beverage and retail – made up 75% of all credit card breaches. Of those breaches, 85% affected small merchants.
“Food service tends to lead the pack [in data breaches]. The first challenge for them is that they are using broadband connectivity. They are not using the traditional stand-alone terminals….With the additional network complexity obviously comes the opportunity for someone half way across the world to reach into their network and exploit vulnerabilities that haven’t been addressed”, Rosenberg observed.
The food and beverage industry accounts for a large portion of merchant portfolios as well. So there is a direct correlation that leads these businesses to be more highly weighted in the survey”, he said. “There tends to be high turnover, and they are a fast-paced industry”, he added.
Other key findings in the report showed that merchants that fail to validate compliance with the PCI DSS fail at six of the 12 requirements more than 90% of the time. These statistics provide further evidence that ISOs and acquirers should implement compliance programs to help secure their merchant population, the survey said.