National Retail Federation Poll: Small Retailers Struggling To Understand PCI
Nearly 86 percent are familiar with PCI, but nearly half can't demonstrate their compliance with the payment card standard
Aug 11, 2009 | 03:46 PM By Kelly Jackson Higgins
DarkReading
First the good news: Most small retailers say they know about the Payment Card Industry's Data Security Standard (PCI DSS). But the bad news is they don't necessarily understand it, nor can many of them prove their compliance with it, a new study by the National Retail Federation (NRF) says.
The big surprise was the high number of small businesses that are aware of PCI -- 86 percent -- and those that say PCI compliance makes them more secure -- 80 percent, according to Heather Foster, vice president of marketing for ControlScan, a PCI compliance vendor that conducted the survey along with the NRF and the PCI Knowledge Base. "A year ago, most of the small businesses we were talking to had never heard of PCI," Foster says. "We were pleasantly surprised with the [level] of awareness out there now."
"One of the first simple steps merchants can take on the road tocard data security is to check that they are using a secure paymentapplication or PED terminal that has been validated by an approvedlaboratory and is listed on our Website," Leach says.
Editor's Note: Which simply means that any merchant who uses our PCI 2.x certified device is good to go. One of the benefits of utilizing the HomeATM PED Terminal is that it costs less than half of it's closest competitor AND is encryption enabled. It was designed to encrypt the Track2 data for Zones 1-4 and the PIN is encrypted for Zones 1-5 meaning that the cardholders data is NEVER in the clear. This "clears" you from the ramifications that may be imposed by PCI.
But there's a gap between small businesses' PCI awareness and their perception of risk, the study found: Among the small merchants who had never suffered a breach, 72 percent said they think their risk of data hack is "low" or "not possible." Small merchants that had experienced data breaches not surprisingly saw things much differently, with 67 percent saying they are at a high or medium risk of attack.
"My biggest concern is that while these merchants [who haven't been breached] are at least making progress thinking that PCI is a good thing to do, they're not thinking they're at risk. They think they're invulnerable," Foster says.
The study, which surveyed 220 small retailers in ecommerce, retail stores, and mail/order telephone order businesses, also found that many of these enterprises are perplexed about PCI when it comes to better understanding it, implementing it, and the cost complying with it.
"Either make things easier to understand or offer more help for businesses to get compliant," one respondent commented in the survey. Another asked for PCI to have a "better understanding of how much small businesses can afford. Most solutions available are for large businesses and are expensive."
Editor's Note: HomeATM already made it easy. Our "SafeTPIN " would remove your business from the scope of PCI. You would not only be compliant, but you would be compliant at a "fraction of the cost" of other solutions...for more information on how we can do that, email us.
David Hogan, chief information officer for the NRF, says small retailers are understandably overwhelmed with compliance. "Until industry service providers and the PCI Security Standards Council make compliance easier to understand and less complex to implement, many small merchants will likely continue to be frustrated and bewildered, causing some of them to abandon the idea of compliance altogether," Hogan said in a statement.
The PCI Security Standards Council, meanwhile, is working on better educating small retailers about PCI and its implementation, says Troy Leach, technical director of the PCI Security Standards Council. Aside from working with the PCI vendor, payment, and small business community, the PCI Council also offers a priority approach framework, self-assessment questionnaires, and other PCI other resources.
"One of the first simple steps merchants can take on the road to card data security is to check that they are using a secure payment application or PED terminal that has been validated by an approved laboratory and is listed on our Website," Leach says.
Continue Dark Reading
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tnq11nmQyC97NR8oBOi1r55Yrev8wbL1Ah5HOI-OAJNPqNk8CYxZIOmS8Fh5nj7h3LY5RiElaSUMGLDQdmdRuZmmmWFBDB8VxduF-0rZBS7Jgo6GKJw7MvvrCr2qpy937pGkMXW0mwoeoPTisjpcY=s0-d)
