Getting small merchants up to payment security par has been a struggle for years. And it's not that small merchants, like the mom-and-pop bakery on the corner, don't care about security; it's just that they don't understand it.
So the release this week by the PCI Security Standards Council of a new PCI compliance resource for small merchants is being lauded by the banking and payments community. But how effective will the resource actually be at convincing merchants to move forward with PCI compliance?
"Merchants will need more than just, 'Here, read this.' They will need help interpreting and operationalizing it."
As PCI expert Anton Chuvakin, a payments security analyst at Gartner, points out, many small merchants still don't even understand what PCI is. "A lot of smaller merchants are still woefully behind in security; I met some in 2015 who just heard of this new thing called the PCI-DSS," he says.
And it's not just a problem in the U.S. "It's way worse overseas. I see more merchants who have not heard of PCI-DSS," Chuvakin adds.
Ongoing PCI Headache
For card issuers and merchant acquiring banks, security gaps at small merchants are an increasing worry, as these merchants are deemed to be the proverbial "low-hanging fruit" for fraudsters, says Julie Conroy, a fraud analyst at Aite.
"Smaller merchants have been a key target for cybercriminals, who love going after the weakest link in the chain," she says. "At the same time, too many SMBs [small and medium-sized businesses] believe that data breaches are somebody else's problem, namely the big merchants that are always landing in the headlines. Most SMBs have no idea that many cybercriminals actually prefer targeting the little guys, because the relatively small pool of compromised cards makes it much more difficult for issuers' CPP [common points of purchase] analytics to discover the point of compromise and put compensating controls around them."
Conroy says one of the biggest challenges for acquiring banks is convincing small businesses that compliance with PCI data security standards is really a "baseline" for fraud prevention, and not just some arbitrary rule or regulation.
Small Merchant Security: An Industry Responsibility
We've all accepted that smaller merchants rely heavily on their point-of-sale vendors and integrators to ensure cybersecurity. But, as many breaches over the last three years have taught us, that reliance has been misplaced (see 1,000 Businesses Hit By POS Malware).
Acquiring banks, issuers and the card brands are eager to see small merchants adopt EMV and comply with PCI. But EMV and PCI are expensive, especially for smaller merchants. And incentives, such as chargebacks for fraud, to get merchants invest more in security have not proved overly effective so far (see Visa Acknowledges EMV Rollout Pain).
Is New Resource the Answer?
The resource, Guide to Safe Payments, is a 26-page tutorial designed to help less-tech-savvy merchants gauge their risk to determine which PCI data security requirements make the most sense for them to invest in.
I went through the resource, which the PCI Council released July 7. It's not a complex list of requirements laden with technical jargon. Instead, this resource, served up as a .pdf, is more like an infographic, with easy-to-understand language that describes emerging attacks and the expense associated with compliance aimed at mitigating the risk of those attacks.
Jeremy King, international director of the council, says acquiring banks are encouraged to ensure small merchants are educated about this new resource. "We have narrowed everything down to 12 key areas, and in each of those areas, we've assigned a particular requirement, such as making your passwords more secure, and then provided a guide to show how expensive that requirement is to implement," he says. "They can see how big the payout is, and, thus, the advantage of complying."
For example, the resource lists mitigation steps like changing default passwords for remote POS access and patching updates and denotes the relative cost, ease of deployment and risk-mitigation impact. Put together by the council's Small Merchant Task Force, which includes representation from the merchant and acquiring communities, Dave Matthews, general counsel for National Restaurant Association, says the resource truly represents small merchants' unique security needs and questions.
"By using graphics and diagrams, complex concepts have been simplified and formatted into documents that technology-challenged business people can relate to and understand," says Matthews, who also co-chairs the task force. "Identifying and understanding technology risk is the first step to mitigation and protection. These materials go far in providing that understanding."
And in a blog posted by the council to accompany the launch of the resource, council CTO Troy Leach answers commonly asked questions about PCI compliance.
"This is a great opportunity to empower small merchants to better protect themselves against increasing threats through awareness of how payments work and how to minimize risk of exposing their customers' cardholder data," Leach writes. "The payment diagrams can be walked through with small merchants so they can see the kind of payment setup they have and understand the risks and protections most relevant to them."
The onus now will be on acquirers, payment processors and retail associations to ensure small merchants are aware of this resource, and understand how it can be used. The resource and accompanying documents are available for free from the council's website, and can be co-branded for distribution to merchant customers.
Chuvakin says acquirers will likely play a major role in making this resource known to smaller merchants. But he adds that banks will have to be good teachers. "Merchants will need more than just, 'Here, read this,'" he says. "They will need help interpreting and operationalizing it."
Michael Christodoulides, vice president of payment security and global payment acceptance at Barclaycard in the U.K., says Barclaycard plans to make the resource an integral part of its communications with small merchant customers. "Our portfolio, like most acquirers, includes a majority of smaller merchants," he says.
And fraud striking those smaller merchants comprises most of Barclaycard's fraud-related expenses as an acquirer, Christodoulides says.
"It's helpful for all small merchants to understand that if they play their part in securing a payments ecosystem, they will prevent fraud at some point in the future," he adds. "We will be linking our website to the Security Standards Council's website to pass this along and include the resource in our products to merchants."
Most sources I pinged in advance of the resource's release told me they had heard about the resource but had not seen it. I'd encourage you to have a look, and then let me know your thoughts.
Do you think this resource will be the key the PCI Council has been searching for to unlock the security challenge its faced when it comes to PCI acceptance among the SMB community? Post your comments below.