Who cares about protecting small merchants from a security breach?
Who cares about protecting small merchants from a security breach?

Security is not just for merchants and card users to take care of. Central government at both national and European level and the payments industry should step up and take responsibility too.

A 2011 report by Trustwave showed that compromise of card data in level four merchants (typically small- to medium-sized businesses) occurred in 90 per cent of incidents. Large organisations are better educated, funded and resourced so it is increasingly harder for criminals to target them, although they are not immune as demonstrated by high profile data breaches. It is now smaller merchants that are being targeted and the payments industry need to help these vulnerable merchants.

Regularly speaking to retailers has enabled me to get a better understanding of the traumas that PCI compliance causes them. At a recent Association of Convenience Store (ACS) conference, one retailer told me that the prospect of not being compliant, suffering a breach and the potential reputational damage that would follow, causes him sleepless nights.

The possibility that word-of-mouth between customers that their data wasn't secure with him would be crippling to his reputation - even now without a legal obligation to report it.

Others are overwhelmed by the complexities of achieving compliance. Another retailer recently asked me about a letter he had received from his bank informing him that he wasn't compliant with the Payments Card Industry Data Security Standard (PCI DSS) and should he not rectify this he would be penalised. They had no idea of the full implications of PCI compliance, how important it is and the severe financial impact to their business, should they suffer a data breach.

The reality is they are not alone; far too many businesses take far too few steps towards adequately securing their payment and non-payment systems. A major problem facing the payments security industry in Europe is the lack of publicity when compared to other countries such as the USA.

One of the key differences is the relationship between merchants, banks, government and the requirements imposed upon merchants and payment service providers to publicise such breaches.

In the United States, California was the first state to legislate for publicising data breaches in 2003, an example now replicated by 38 of the 50 states. This is encouraging but the differences in legislation globally makes the process fragmented - legislation for breach announcements as a deterrent should be universal as fraud is global and fraud rings see no boundaries.

In the UK and Europe, there is currently no legal requirement for the greater majority of businesses to declare breaches; but that does not mean they don't happen. According to UK Fraud Statistics, in 2010 more than €417.5 million in card fraud was detected.

The problem the industry faces currently is the lack of understanding of smaller retailers of the need to increase security.

The proposed new European Data Protection Regulation will give the card schemes additional powers to enforce the fines, which are presently seen as hollow threats. This is a step in the right direction but there needs to be another message alongside it; it needs to be clear that best practice security measures for the payments environment is good business and will go a long way to protecting a business holistically.

It shouldn't be treated as a task where a merchant does as much as they are obliged and no more. Too many merchants are unaware of their obligations to PCI DSS or demonstrate apathy towards the risk they are susceptible to by not adhering to these measures.

Merchants found in breach of PCI can be fined thousands per card breached – it takes minutes to steal thousands of card details electronically and the ramifications for a small business can be crippling. This is not necessarily the fault of the small merchants, who were not the initial focus for the PCI council following the inception in 2004 of the PCI standard.

As Jeremy King, European director of the PCI Council, stated in a recent roundtable: “We've started off with the big retailers and we've gone down to the next level and now we're getting down to the smaller merchants. The brands don't differentiate between the big and small merchants when there's a data breach, they just come in and hit you. For smaller merchants, it's end of game.”

Merchants think that there isn't a problem in the UK as they never hear about it – this couldn't be further from the truth. Fraudsters are now targeting small, local, independent businesses and the PCI council, banks, acquirers and security vendors have a duty to educate and provide cost effective quality solutions to these smaller merchants to equip them in the fight to maintain security and ultimately their business.

The Verizon 2012 Data Breach Investigations Report found that 96 per cent of the breach victims investigated were not PCI DSS compliant when they were last assessed. Perhaps this is because compliance measures are complicated for the average retailer, especially the technical network specifications referred to in self-assessment questionnaires.

This is something which Phoenix as a security vendor is tackling head on by investing heavily and embarking upon extensive research and development to get the right product to help protect smaller merchants. Phoenix is reaching out to smaller merchants via trade bodies such as the Retail Motor Industry (RMI) and the Association of Convenience Stores (ACS), educating them on payment security and correcting some of the misconceptions surrounding internet security and PCI compliance.

Phoenix is doing this not just because it helps the business, but because after a collective 200 years+ experience of our management team in payments we can see that something needs to be done. We believe the industry should be doing the right thing by the smaller retailer so they are better protected.

Security can't be achieved through regulation and enforcement alone, it needs to be adopted as a culture in business, with all parties including banks, acquirers or merchants adopting a collaborative approach to help themselves and their customers. Only once this is achieved will we be in a position to be truly secure.

Alan Stephenson-Brown is the managing director of European Operations at Phoenix Managed Networks