Merchant Awareness of PCI: Success or Failure?

It's been nearly a decade now, so are small merchants aware of PCI? Yes, it's already been 10 years. Visa brought the Cardholder Information Security Program (CISP) to fruition in 2001, and in 2004 it evolved into the Payment Card Industry (PCI) Data Security Standard (DSS).

After several years of comprehensive efforts in the payment processing industry to inform and educate merchants, and the fact that payment card industry compliance is required, results and opinions are mixed. A recent study by the National Retail Federation provides information to make a case for both success and failure of the program and here they are:

Success

• 66% of small merchants are aware of the PCI DSS.

• The majority of merchants who are aware of PCI take it seriously. 74% of them have had a PCI compliance assessment.

• 94% of merchants care about keeping card information secure.

• 50% of merchants are aware of some consequences of a breach, such as getting sued by cardholders and losing the ability to accept Visa and MasterCard

Failure

• 34% still have a lack of awareness of PCI despite the immense industry efforts.

• 51% of all merchants still have not had a PCI compliance assessment.

• 64% are unaware of the dangers and don't believe their business is vulnerable to card data theft.

• 60% of merchants don't have a strong understanding of the costs, including fines by Visa/MasterCard, liability for use of stolen cards, and per-card fees for every canceled card.

So, has this all been a success or a failure? While my answer might be an open invitation to accusations of being a politician or fence-sitter, my answer is "Yes." As an industry, we've made great progress, and had a significant impact on the industry in a positive way, but we have a long way to go to get payment card industry compliance where it needs to be.

Let's not stop at that, let's offer a few explanations for why awareness and compliance are potentially lower than one might expect.

1. Quantities of new businesses

Many small business owners have a lengthy list of responsibilities and to-dos; it's not a huge surprise that these businesses are not familiar with PCI out of the gates. Exaggerating this impact is the fact that many new businesses open every year. According to Census data, 700,000 new businesses are "born" each year. This is reflected in the NRF study where 27% of merchants were less than three years old.

2. "Bad things only happen to other people" mentality

It can be human nature to assume the best and that "it won't happen to me." When dealing with the risk of a security breach involving cardholder data, many merchants appear to take that approach, rather than planning with Murphy's Law in mind.

3. Focus on fees rather than compliance

There is no reason to hide the fact that most processors and acquirers have fees for PCI programs. The fees have created controversy because they can seem high and are often not tied to compliance. As a result, perhaps PCI fees have become the main focus for many ISOs and merchants instead of PCI compliance itself.

ISOs are you fed up with high fees associated with your current payment partner's Payment Card Industry (PCI) compliance assessment program? Are they causing attrition in your portfolio? Do their fees make it difficult for you to sign new merchants? Clearent has a unique approach to PCI compliance:

No PCI Fees - That's right, there are no PCI fees for merchants who complete our questionnaire
Keep it Simple - Merchants save time thanks to our simplified PCI questionnaires
Know Your Status - Monitor your portfolio's status at-a-glance with our online reports

Contact Clearent for more information on payment processing solutions for ISOs and FIs.