Cost and education are the biggest hindrances and failings around PCI compliance.
In a recent survey of 125 small merchants, three quarters (74 per cent) said that they had no allocated budget to deal with the payment card industry data security standard (PCI DSS) while 66 per cent felt that qualified security assessors (QSA) were too expensive.
While 100 per cent said that they were aware of PCI DSS, 32 per cent felt that it was a technical challenge, 50 per cent saw it as a procedural challenge and 18 per cent saw that training requirements had to change.
Mathieu Gorge, CEO and founder of Vigitrust, who conducted the survey, said that there was no such thing as ‘de-scoping' as the only way to do that was to stop taking credit card payments as businesses still need policies and procedures.
Matt Martin, senior payment security risk manager at BarclayCard, said that while most small businesses could not afford a QSA, he said that they need to know that assessment and compliance were the right thing to do and they were done for a reason. “The cost of a breach where they will really suffer,” he said.
“Smaller merchants are facing major compliance issues, the vast majority that I meet reinforce the positive benefits of why cardholder security is in place but compliance is not just about a standard, and the wider community needs to understand the needs of smaller merchants.”
Jeremy King, European director of the PCI security standards council (SSC), admitted that the language used in the guidelines was written for larger businesses where a security team was in place. He said: “We have got to make the language simpler for smaller merchants to get the right format.”
Looking at comments made by respondents to the survey that PCI was ‘forced upon them' and it was ‘an extra cost we have to pay', King said that it was the responsibility of the merchant to look after cardholder data and that there needed to be an appreciation of being compliant rather than expecting and paying fines. “Rather than that, pay for a service that reduces risk to put you in a better position,” he said.
He later said: “Why do merchants keep failing? Don't fail; too many fail because they haven't done it right the first time. Where they have failed is where they have not done anything about it.”
The subject of education and awareness was also discussed, with Gorge saying that survey results show this to be a real challenge, especially as 36 per cent said that they had been aware of PCI DSS for more than three years and only 25 per cent had put policies in place to deal with the standard. Just under half (43 per cent) had put in generic security policies.
Gorge said: “Education means meeting a challenge. Start with this and continue with something that you are not aware of. There is a huge difference between readiness and compliance validation, policies and education are key before you start out. The message needs to be in plain English as too much jargon and it is daunting for the smaller merchant.”
He later said: “Merchants need to be able to reduce the potential for error and use encryption, but it is only as effective as a policy and the people who write them.”
Martin said: “The more you try and legislate security, the more you write things down and that defeats the object. I fall back in best practice, preparations and education of people and the potential spin-off you will have awareness.”