Only 50% of small merchants have validated their PCI compliance, according to a recent survey of 600 Level 4 merchants. In total, 79% of these retailers think there is “little to no chance a data breach will happen to them,” as noted in the report titled: A Tale of Two Merchants: The Fourth Annual Survey of Level 4 Merchant PCI Compliance Trends,” conducted by ControlScan and Merchant Warehouse. Additionally, brick-and-mortar retailers are less stringent than their e-Commerce counterparts.
As defined by Visa, Level 4 merchants are those processing less than 20,000 Visa eCommerce transactions annually; or up to 1 million transactions in the brick-and-mortar store. In total, there are approximately 5 million Level 4 merchants in the U.S.
In reality, these smaller merchants should be more concerned. In June, 2012, Visa reported that attacks against Level 4 and franchise merchants are on the rise in the U.S.; and as many as 96% of breach victims in 2012 were not PCI compliant, according to Verizon.
Advertisement
Small Businesses Offer Contradictory Security Insights
While less than half (47%) of Level 4 merchants say they are familiar with PCI DSS, those stating familiarity with compliance measures are supportive:
- 77% say security ranks “high” or “medium” in terms of overall organizational priorities;
- 67% believe PCI compliance would make their business more secure; and
- 57% note that they believe PCI standards should apply to their businesses.
On the contrary…
- Of those survey respondents who have validated PCI compliance, only 39% say they have the documentation to support their Self-Assessment Questionnaire (SAQ);
- 43% say they took no action nor made any purchases to achieve PCI compliance; they simply “completed the paperwork;” and
- Total overall compliance for survey respondents is 30%.
4 Recommendations For ISOs And Acquirers
ControlScan offered the following four recommendations for ISOs and merchant acquirers, to help forge a stronger partner relationship with retailers:
- Mine customer data to create risk-based action plans.
- Strengthen communications with the riskiest merchants.
- Equip merchant-facing representatives with the right tools.
- Offer technology and service solutions to facilitate a smooth transition to PCI compliance.
Click here to access the complete report.