PCI Compliance Double Standard?
Hey Small Business Owner! Get Compliant or You’ll Be Out of Business!
That’s the message being fed to businesses accepting credit cards by the payments industry. But the communication isn’t getting through. 60% of merchants are unaware of the costs they would incur for a data breach and 64% believe their businesses are not vulnerable to credit/debit card data theft. These statistics fuel the rhetoric by payment processors and ISOs to get compliant, pay highly monthly fees (most of them bogus), and to get serious about protecting customer data. The result is always the same… merchants continue to ignore the PCI Standards. And why should they care when the big companies like Sony and Global Payments aren’t even capable of securing themselves either?
We spoke with a business owner about PCI Standards, who requested to remain anonymous after we informed him about potential fines and termination for non-compliance. The owner of a small grocery store in Queens, NY said he had never heard of compliance standards, the requirement for annual self-assessments, or the necessity to use secure equipment. He’s using a 10 year old Nurit 2085 that was passed down to him by a relative’s failed business four years ago. The NOS has never been upgraded and he hasn’t considered doing it because he’d “rather not mess with the machine.” According to literature distributed by Verifone in 2009, the Nurit 2085 was no longer PCI compliant years ago (if it ever was at all) and the recommended replacement is a vx510. But the business in Queens never got that memo and the owner was very frank in his response to our warnings on the costs of a data breach. “If something ever gets breached, it’s not my fault or my problem. They can talk to my account rep. It’s his problem, his machine, and he’s the one responsible for this whole thing, not me. How can I be liable for the technology that they’re making me use?”
The truth is that a single data breach is likely to result in:
- A security audit (cost of $8,000 to $20,000)
- Replacing the card for every customer who was at risk for having their information stolen ($3 to $10 per card)
- Up to $50,000 in compliance fines
The average merchant faced with a data breach in 2009 incurred $6.7 million in fees. That’s vastly more than the Queens grocery store is worth. So are merchants being ignorant or is this attitude cultivated by the payments industry? Talk to any merchant account rep and they’ll name a handful of processors that will sign up accounts with Non-PCI compliant technology. At the end of the day, some processors would rather book the account than educate, support, and protect their client from security breaches.
This isn’t to say that carelessness or ignorance is what caused the massive breach at Global Payments but allowing hackers to grab sensitive information on 1.5 million cardholders sends a bad signal to merchants. Experts are already predicting that the cost of this breach will be in the tens of millions of dollars. Visa has temporarily removed them from their “list” of compliant processors and Global expects to be reinstated very soon.
Already the payments industry is spinning this event as contained and Global continues to process card transactions as usual. In a few weeks, we’ll all forget about this and it will be no harm, no foul. Global will dip into whatever reserve fund they have for breaches and square it all away.
But the merchants will never forget. Instead it will serve to further justify their thought process that if something happens, it’s not their fault. 1.5 million stolen credit card numbers fits right in line with their account representative who has never mentioned PCI compliance and their processor who is willing to play ball and book their account with unsafe technology. Everyone’s looking the other way, so how can the end user be stuck with the blame if something goes wrong?
Plenty of ISOs apply PCI compliance fees to their clients’ statements but don’t actually help them become compliant. If the day ever comes that big processors can lead by example (no thefts) and each level of the payments industry gets serious about compliance, perhaps merchants will be more inclined to change their attitude. Until then, they’ll keep right on believing it’s not their fault or their problem. They’re probably right…