Fight to Get SMBs PCI Compliant a Losing Battle

Written by

Being in compliance with different regulations has a bottom-line impact on business, but smaller organizations lack the time and knowledge necessary to engage with PCI (Payment Card Industry) programs. 

That's according to the Acquirer PCI Sentiment Survey recently released by Sysnet Global Solutions. The feeling among acquiring organizations is not good, with less than 10% expressing that they were happy with their current compliance rate.

While most acquirers understand that the smaller merchants likely don't understand what they need to do, 64% of the respondents said that small merchants don't make security enough of a priority. In order to drive compliance, an overwhelming majority of respondents said that improved communication (76%) and education (72%) along with managed security and compliance service (72%) would be most helpful.

Less than half (48%) felt that technology services such as P2PE (Point-to-Point Encryption) would effectively drive compliance, while only 44% saw charging noncompliance fees as initiatives that would drive smaller merchants toward compliance.

The survey revealed a lack of consensus on whether to charge noncompliance fees and for how long they should be levied. While 21% felt it was appropriate to charge PCI noncompliance fees indefinitely, the same number said that it was never appropriate to charge a fee. The remaining 58% agreed that fees should not be charged beyond two years time.

Perhaps the most interesting statement, with which 52% of respondents agreed, was that "Some acquirers view noncompliance fees as unethical, describing PCI noncompliance fee revenue as ‘a drug the industry needs to wean itself off.'"

More than half of the participants agreed that noncompliance fees contribute to merchant attrition. One respondent commented that these charges are "taking advantage of customers by forcing them to pay extra fees and carry all the risks associated with noncompliance."

When asked if they felt it was likely that regulations might be introduced to control PCI charges, 60% of the participants answered that they somewhat agreed.

Interestingly, less than half of the survey respondents agreed that PCI DSS (Data Security Systems) does enough to ensure a small business is actually protected against cyberattacks. "Some feel that PCI DSS does not drive good practices and behaviors for small merchants, while others believe that it only provides the tool to use to defend against cyberattacks," the survey noted. 

Fifty-four percent of the senior executives at acquiring institutions said that they currently provide cybersecurity tools that help to reduce PCI scope.

What’s hot on Infosecurity Magazine?