New Research Finding: Diversity Reigns When It Comes To PCI Compliance For Level 4 Merchants
The size and type of Level 4 merchants drives how they perceive PCI compliance and the steps they take to protect sensitive information.
While the ‘Level 4' categorization stands as an effective way for the payment brands and acquirers to classify merchants and enforce PCI DSS compliance, size definitely matters in the way that small- to mid-sized merchants approach PCI compliance. This conclusion is just one of the major findings from a survey of nearly 630 Level 4 merchants conducted by ControlScan (www.controlscan.com) and Merchant Warehouse (www.merchantwarehouse.com).
According to the survey, Diversity Resigns: The Second Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, the size of the Level 4 merchant drives how they perceive data security and the steps they take to protect sensitive information. Forty-five percent of micro-merchants (businesses that employ 1 to 10 employees) reported familiarity with PCI DSS. In contrast, 91% of large Level 4 merchants (those that employ 51 or more employees) confirmed their familiarity with PCI DSS.
"Based on the results of this survey, we as an industry, have an opportunity to create better educational tools that can help the small to mid-sized merchants understand the importance and process of protecting cardholder data from the start," said Henry Helgeson, co-CEO of Merchant Warehouse. "Educating both merchants and partners on why PCI-DSS compliance is good for business and how to easily achieve it is the first step toward achieving more compliance. The second step is to advise merchants to use secure, PA-DSS certified payment processing solutions that can help them achieve and maintain PCI compliance with minimal additional costs or paperwork."
Merchant spending to achieve PCI compliance also correlates with merchant size. For example, less than half of micro-merchants who responded spend nothing on PCI compliance while the majority of larger Level 4 merchants spend between $500 and $20,000. In fact nearly half of the micro-merchant respondents also said "completing the paperwork" for PCI DSS was the extent of their compliance efforts, suggesting that they lack a comprehensive approach to PCI compliance.
Another key finding from the survey demonstrates that the merchant's type can also impact their awareness of PCI Compliance and the priority they place on security. For example, ecommerce merchants, or ‘etailers', are much more aware of PCI compliance when compared to their brick-and-mortar retail counterparts (60% versus 37%). For the etailers, data security was also a higher priority than for brick-and mortar merchants (61% versus 41%). This heightened consciousness on the part of etailers is likely attributable to the greater perceived risks in online, card-not-present environments.
A unifying factor among all of the Level 4 merchant respondents is that they don't understand what they need to do to become PCI compliant and that they want and need help in this area. According to the survey respondents, small merchants tend to look to their merchant banks and then to vendors of point-of-sale software, payment equipment and hosting as their "go to" resources for PCI compliance and security information.
"These organizations have the opportunity to step forward with PCI DSS assistance," said Joan Herbig, chief executive officer, ControlScan. "However, this opportunity to take an educational leadership position carries a key caveat: the organizations that will succeed in helping small merchants gain a working knowledge of PCI DSS will need to tailor their approach to targeted merchants' needs. A ‘one size fits all' strategy for PCI DSS will not be as effective."
For more information, visit https://www.controlscan.com/whitepapers/merchant_study_2010.php.
ControlScan and Merchant Warehouse are also hosting a joint Webinar to be held on November 16, 2010 at 2:00 PM Eastern Time to present the study findings. To register, please click on the following link: https://www2.gotomeeting.com/register/212151818.
About the Survey
The survey was completed in August 2010 by 628 Level 4 merchants who represent a mix of ecommerce, retail stores and mail order/telephone order businesses.
About the PCI Compliance Provider, ControlScan
Headquartered in Atlanta, Georgia, ControlScan provides Payment Card Industry (PCI) compliance solutions that fit the specific needs of small- to mid-sized merchants (defined by Visa as ‘Level 4'). The company helps simplify PCI compliance and reduce risk for acquirers by achieving high PCI compliance rates for their merchants. As a market leader in PCI compliance, ControlScan offers its acquirer partners the unique benefits of an exclusive focus on servicing Level 4 merchants, programs that work based on the needs of each acquirer and a track record of success in achieving high PCI compliance rates. For more information, visit www.controlscan.com.
About Merchant Warehouse
Since 1998, Merchant Warehouse has set the standard for credit card processing by guaranteeing competitive pricing for merchant accounts, software, and equipment, and providing dedicated, high quality customer service. Over 80,000 merchants later, the company continues to lead the industry with groundbreaking technology initiatives: MerchantWARE, BINsmart, TransPort and MerchantWARE Mobile. Merchant Warehouse has been named the ETA 2009 ISO of the Year, Business Solutions' Best Channel Vendor for 2009 & 2010, is a three-time recipient of the Boston Business Journal Pacesetter Award and is listed on both the INC 5000 and Deloitte & Touche Fast 500. Merchant Warehouse co-CEO, Henry Helgeson, was also named Ernst & Young Entrepreneur of the Year 2009 for New England. The company is committed to community and charitable involvement. For more information, visit http://merchantwarehouse.com.
SOURCE: ControlScan and Merchant Warehouse