PCI Compliance Lacking Among Small Businesses


The Payment Card Industry Data Security Standard (PCI-DSS) is a compliance specification that is intended to help merchants and organizations operate a secure infrastructure that can be used for payments and transactions.

But according to a new study from enterprise security vendor Fortinet, conducted last month by Lightspeed Research, PCI compliance is far from ubiquitous among small businesses. The study found that 22 percent of small business retailers were not PCI-DSS compliant, and 14 percent were not sure whether or not they were compliant.

Chris McKie, Fortinet's director of Corporate Communications, told eSecurity Planet that he was shocked that so many respondents were unaware of their network security posture and PCI-DSS compliance status. That said, he noted that some survey respondents might be network administrators who are not responsible for their company compliance efforts.

There are multiple versions of the PCI-DSS standard, with the most recent one being the new PCI-DSS 3.0 specification that came into effect on Jan 1. Because Fortinet's survey was intended to be a high-level look at PCI compliance, it did not specifically ask about PCI-DSS 3.0 plans, McKie said.

As a matter of law, McKie said that PCI compliance is different than a state or federal legislative mandate. PCI compliance is enforced by credit card issuers such as Visa and MasterCard and not by the PCI Council that created the standard.

"The organizations we surveyed were asked whether they transacted credit card data. Those who do must be PCI compliant," McKie said. "So our sample base of 100 SMBs should have all been required to be PCI compliant, as we would have rejected those retailers who would not be processing credit card data."

SMBs' False Sense of Security

The study also found that 55 percent of the respondents were not aware of the security breach disclosure requirements in their state. And when it comes to having a policy to meet those requirements, 40 percent said they had no such policies in place.

As to why PCI-DSS compliance among small businesses is not higher, the size of the organization could be a factor, McKie said, noting that based on anecdotal feedback many SMBs believe they are too small to be hacked.

"In other words, hackers are only going after high-profile targets such as Target," McKie said. "Unfortunately this is a false sense of security, as most hackers rely also on automated attacks."

Hackers also know that many small retailers are lacking when it comes to security, making them soft targets for attack, he added.

"Just because a retailer is small doesn’t mean that a hacker will not find them worthwhile," McKie said. "In fact, small retailers may offer the best ROI for a hacker."

So what should small businesses do?

"Probably first and foremost, retailers need to educate themselves and employees about key online risks," McKie said. "They need to be vigilant and understand that security is not just a firewall… it’s a mindset."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.