Smaller Merchants May Offer Less Credit Card Security

By Eva Norlyk Smith, Ph.D.

According to a recent survey, credit card security may not be as alive and well as most consumers assume. The study surveyed 560 U.S. and multinational organizations for the degree to which they complied with the Payment Card Industry’s Data Security Standard (PCI DSS). The survey was conducted by the Ponemon Institute, a company specializing in research into privacy and information security policy.

The PCI DSS is an industry standard introduced in June 2005 by major credit card companies. It outlines the essential security measures companies must take to guard the credit card information and other customer payment data companies collected during credit card transactions.

The survey found that many smaller merchants don’t make the investment necessary to comply with PCI DSS. While almost three out of four large merchants with 75,000 or more employees complied with the standards (70 percent), only about one in four (28 percent) of smaller companies with 501 to 1,000 employees said they were compliant. Indeed, of the companies surveyed, 55 percent only secured credit card information, but not other vital personal data involved in identity theft, such as Social Security number, driver’s license numbers, or bank account details.

At the same time, the need for greater protection of credit card information was underscored by one sobering fact: 79% of respondents said they had had at least one data breach involving loss or theft of credit card information.

The main reason quoted for not complying with PCI DSS was cost. Three in five of the companies in the survey said they lacked the resources to comply with PCI DSS; this was less of an issue for larger companies. On average, the companies surveyed said they spent about 35 percent of their IT security budgets on PCI DSS compliance.

Unlike security protection for individual computers, PCI DSS doesn’t involve the use of specific security software, but instead prescribes basic security practices, such as using a firewall, SSL (Secure Sockets Layers) and some type of antivirus software. Astonishingly, one in ten of the companies in the survey that said they were PCI DSS compliant, at the same time reported that they were not using antivirus, firewalls and SSL security software.

Credit card companies demand compliance from the merchants accepting credit cards, and the expectation was that most merchants would be compliant at this point, four years after the introduction of the standards. The PCI DSS standard is currently under review, and industry professionals, concerned about the growing threat of credit card fraud, are sure to modify the standards to make them easier to meet for both large and small companies.

As a consumer, should you be worried that merchants may not be as compliant with recommended security measures as previously assumed? Well, yes and no. Credit cardholders are not held liable for any fraudulent use of credit cards, that tab is picked up by the credit card companies and/or merchants involved.

At the same time, however, the results of the survey underscore the need for cardholders to be ever-vigilant and study their statements in detail each month to make sure it contains no unauthorized charges.

Published: January 16, 2010