SOURCE: ControlScan




August 10, 2009 00:01 ET

Research Finds PCI DSS Awareness High Among Small Merchants, Lack of Understanding Remains Huge Hurdle

Guidance a Must to Help Small Merchants Understand and Achieve PCI DSS Compliance

ATLANTA, GA--(Marketwire - August 10, 2009) - Though small merchants are aware of Payment Card Industry Data Security Standards (PCI DSS), they feel frustrated and bewildered with the complex requirements, according to a survey of small merchants by ControlScan, the National Retail Federation, and the PCI Knowledge Base.

According to the survey of 220 small merchants, 86 percent of companies feel "somewhat" or "very familiar" with PCI DSS. They also understand the importance of security, with 88 percent of them listing data security as a "high" or "medium" priority. While the fact that small merchants both understand the importance of data security and are aware of PCI DSS standards is encouraging, respondents expressed frustration with understanding, implementing and paying for compliance.

"A year ago, there was little to no awareness of PCI compliance among small merchants," said David Taylor, founder, the PCI Knowledge Base. "Now the picture has changed, probably because many organizations, such as acquirers and independent sales organizations (ISOs), are now making validation of compliance mandatory and in some cases, imposing monthly fines for merchants that fail to prove they are PCI compliant."

Small merchants who have never been breached may have an unrealistic expectation of their security. According to the survey, 72 percent of small retailers believe the risk their company faces from a data compromise is "low" or "not possible," though merchants who have been breached tell a different story. Sixty-seven percent of previously breached respondents considered the risk from a data compromise to be "high" or "medium," and, as a result, typically spend more to help secure their businesses.

"Small merchants often do not understand the severe consequences of a data breach and are understandably overwhelmed with the intricacies of becoming compliant in the first place," said NRF Chief Information Officer David Hogan. "Until industry service providers and the PCI Security Standards Council make compliance easier to understand and less complex to implement, many small merchants will likely continue to be frustrated and bewildered, causing some of them to abandon the idea of compliance altogether."

Because the process is confusing, Level 4 merchants are seeking clarity and want to be educated about data security. According to the survey respondents, small merchants first look to their acquirers and then to vendors of point-of-sale software, payment equipment and hosting as their "go to" resources for PCI compliance and security information.

"These organizations are uniquely positioned to embrace their de facto 'first responder' role in the PCI education arena," said Heather Varian Foster, vice president, marketing, ControlScan. "By assisting small merchants to become PCI compliant and providing them with easy-to-understand information, they will likely become more valuable partners to their merchants and distinguish themselves in the market place."

To access a copy of the study findings, please click on the following link:

About the Survey

The survey was completed in July 2009 by 220 Level 4 merchants who represent a mix of ecommerce, retail stores and mail order/telephone order businesses.

ControlScan is the leading provider of Payment Card Industry (PCI) compliance and security solutions designed exclusively for small- to medium-sized merchants. ControlScan provides easy-to-use Web-based security solutions and a personal level of service that make it easy and cost-effective for these businesses to analyze, remediate and validate compliance. ControlScan is the solution of choice for small merchants and acquirers because it offers security solutions that are built specifically with the small merchant in mind, a personal level of service and the best results. Acquirers and other merchant service providers rely on ControlScan to manage PCI compliance programs for their entire merchant portfolios to ensure maximum compliance rates. For more information about ControlScan call 1-800-825-3301 or visit

The PCI Knowledge Base is the largest independent research community focused on the security of payment and related financial and personal data. The PCI Knowledge Base's registered membership includes over 2,900 persons who are focused on PCI, including retailers, hoteliers, academics, bankers, payment processors, PCI assessors (QSAs), providers of payment systems and security technologists. The company's panel of over 85 PCI Experts shares their knowledge and experience through its proprietary research database as well as through discussion forums and via our PCI Experts Blog. For more information call 214-295-4996 or visit

The National Retail Federation is the world's largest retail trade association, with membership that comprises all retail formats and channels of distribution including department, specialty, discount, catalog, Internet, independent stores, chain restaurants, drug stores and grocery stores as well as the industry's key trading partners of retail goods and services. NRF represents an industry with more than 1.6 million U.S. retail establishments, more than 24 million employees -- about one in five American workers -- and 2006 sales of $4.7 trillion. As the industry umbrella group, NRF also represents more than 100 state, national and international retail associations.

Link to white paper:

Contact Information