For many small business merchants, PCI compliance is a baffling and expensive exercise. As a result, many small businesses frequently put off dealing with the issue or push it aside entirely. But disregarding the issue is a terrible plan, because doing so can cost you dearly.
“Do not ignore PCI compliance,” warns Robert Mangiafico, the CTO at LexiConn Internet Services, a website hosting provider. “The penalties are too severe to not maintain compliance. Think of it as your insurance policy for when a hacker steals credit card information from your system.”
The PCI security standards are detailed on the official PCI Security Standards Council website. There is even a section set aside for small merchants. The PCI Security Standards Council also provides a Quick Reference Guide and a list of links to the various card companies for specifics regarding compliance for each card brand, e.g. American Express, Discover, Visa and MasterCard.
However, PCI compliance requirements differ according to merchant level and card issuer. It is important to also check with your card brand’s compliance program to make sure that you are meeting all the requirements
Most merchants fall into the Level 4 merchant status. As defined by Visa, Level 4 ecommerce merchants process fewer than 20,000 Visa transactions annually. Level 4 brick-and-mortar and other physical-realm (none ecommerce) merchants are defined as those that process fewer than one million Visa transactions a year.
You will find the educational website PCI Compliance Guide a helpful resource as well. That website is powered by ControlScan, a provider of PCI compliance and security tools for small merchants and acquirers that service small merchants. ControlScan also did a survey in 2011 to discover why so many small businesses fail to comply with PCI standards. The researchers found an odd duality among Level 4 merchants.
Where Angels Fear to Tread
According to ControlScan’s survey, A “Perfect Storm” of Complacency: The Third Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, micro-merchants — defined as those with 10 or fewer employees — stubbornly continue to believe that PCI compliance will not protect their business.
The study also found continued ignorance of the Payment Card Industry Data Security Standard (PCI DSS). Of those micro-merchants surveyed, 48 percent reported they were either “unsure” of or “not at all familiar” with the Payment Card Industry Data Security Standard.
On the other hand, the study found that 77 percent of larger Level 4 merchants, meaning those that employ 51 or more employees, confirmed they are “very” or “somewhat” familiar with the PCI DSS, with 79 percent considering data security a high priority and 82 percent considering PCI compliance mandatory. Awareness of PCI compliance is also high among ecommerce merchants at 64 percent.
The mistake most small business merchants tend to make is they believe that they have less to lose if something goes afoul. That is untrue, of course, as most small merchants lack other protections — ranging from business incorporation to cyber- and breach-insurance — to lessen the blow. Therefore, the damages from non-compliance can, and often does, completely wipe out smaller merchants.
“As there are substantial costs associated with PCI compliance, small businesses typically lack the initial controls for compliance, and therefore their environments are much riskier than large organizations,” explains Shawn Gaspar, an accounting software consultant at Accellis Technology Group.
“Many small businesses will assume they are too small for PCI compliance to matter to them. They pose the most risk and need to understand they are typically the ones who come under fire the most,” Gaspar says.
That’s not to say, however, that larger businesses are not hit hard by the aftereffects of a breach, because they are. Non-compliance leads only to varying degrees of disaster, but all degrees amount to an actual disaster in the end.
PCI Compliance Checklist
“Most of these owners are not aware that there is help available, and it is often close by,” says Doug Klotnia, Trustwave executive vice president. “Small business owners should reach out to the company that processes their credit card transactions, often called acquirers or ISOs, and ask them how they can get secure, and thereby, become compliant with industry standards. These partners often have access to tools they can recommend that can help small businesses achieve and manage ongoing PCI compliance.”
Keep in mind that you can shop for tools outside of those recommended by your financial institution or processor. Sometimes their recommendations are solely directed to their business partners where there may be financial benefit to their promoting the product to you.
“Contrary to what most banks and merchant account providers say, you can choose any PCI scanning vendor that is approved by the PCI council,” says Lexiconn’s CTO Robert Mangiafico. “You do not have to use the one the bank recommends. You may have to submit additional paperwork, but it can be done.”
So, look around and get a good idea of what is available, which providers are reliable, and which are the most cost effective for your circumstances.