The last couple of months have felt like a rollercoaster ride for those of us in the security and compliance space, as we watch multiple retailers come forward about data breaches and the forensic evidence being uncovered. In the midst of this, ControlScan has conducted two important payments industry surveys that lend credence to the belief that now, more than ever, security is everyone’s problem.
Ninety-five percent of the merchant service providers ControlScan recently surveyed* have a PCI compliance program in place for their merchants. These programs are primarily aimed at Level 3 and Level 4 merchants because the Payment Card Industry (PCI) doesn’t currently require them to have an external party validate their compliance with the PCI Data Security Standard (DSS). As self-assessing entities, these typically small to mid-sized businesses (SMBs) are under pressure to effectively understand and implement the 12 PCI DSS requirements with little external support.
So what has ControlScan learned about these SMBs in relation to PCI compliance? And why is now the perfect time for acquirers to re-tool their PCI programs for these merchants?
Overall, PCI compliance rates are on the rise. However…
Most ISOs and acquirers have had a PCI compliance program in place for two years or more, and these programs appear to be impacting SMB merchants’ PCI compliance awareness. In 2010, only 47% of respondents to ControlScan’s annual Level 4 merchant survey said they had at least some familiarity with the PCI DSS, but by 2013, that percentage had climbed to 69%.
While PCI DSS awareness is on the rise, so is the number of merchant breaches. In 2012, 30% of acquirers reported having at least one merchant breached and in 2013, 37% had one or more merchants breached.*
Are merchants not taking the PCI DSS seriously? Are they confused about how to comply with requirements? Unable to focus their attention on gaping security holes? It’s likely all of the above.
…It’s a “life after Target” world.
Internet connectivity and mobile technology advancement means that all businesses electronically transmitting payment data are in hackers’ crosshairs. From the micro-merchant to the SMB to the big box retailer, no one is immune because fundamental business operations take place online.
SMB merchants are not alone in their struggles with PCI compliance. In fact, the 2014 Verizon PCI Compliance Report states that only 11% of the mostly Level 1 and Level 2 organizations they assessed last year were initially found to be PCI compliant and that many organizations “fell out of compliance” between assessments.
Your PCI program makes a difference.
With SMB merchants’ awareness of the PCI DSS at an all-time high, now is the time to keep the momentum going with a well-orchestrated PCI program that incorporates adherence to compliance as well as payment security education and technology/services options throughout the merchant communications process.
Whether your program is nascent or established, it’s important to regularly consider and update core components so that the merchants you serve receive value year after year. In addition, your organization must continuously refresh its internal knowledge of data security and compliance issues and trends.
Want to learn more about re-tooling your PCI program for maximum benefit to you and your merchants? Check out the free download of ControlScan’s research report, Building Momentum: The Third Annual Survey of the Acquirer’s Perspective on Level 4 Merchant PCI Compliance or give us a call at 1-800-825-3301 x 2. We’d be happy to help.