In reading this article from Dark Reading, which quotes a recent RSA survey about PCI compliance, I'm struck by what seems like a missing component. The basic gist of the survey results is that while more than 50% of merchants haven't complied with PCI, the majority of them are smaller, level 4, merchants. There are other interesting bits of data in there too, but the whole article makes a tacit assumption: the goal of PCI is that merchants comply.
I think that really is the goal for larger merchants, but I'm not so sure about the smaller one's. I can't help thinking that for a smaller merchant, the cost of compliance would often exceed the cost of simply outsourcing the card processing such that PCI no longer applies. To be fair, I haven't done the serious research to determine whether that's true, but given the implementation time lines referenced in the article, it seems plausible. It's also possible that there aren't outsourcing services that really meet the needs of smaller merchants.
Either way, if PCI doesn't start "motivating" the smaller merchants, then compliance will continue to lag. The numbers are skewed, however. Perhaps it would be better for RSA to measure the percentage of PCI compliant transactions instead.
Comments (2)
While the results of the RSA survey are interesting, I can't help thinking that they might be skewed. Reading the press release that RSA put out (https://rsasecurity1.rsys1.net/servlet/campaignrespondent), only 80 companies were involved in the survey. That breaks down to an average of 20 companies per level. I'd like to see more data before accepting the results.
Suvery aside, we primarily deal with level 2-4 companies as an ASV. We are seeing exactly what you're describing. Incentives and fines are hitting the big players first, which I suppose makes sense if the card companies are looking to limit exposure. The risk for the credit card companies is greater at a TJX sized company than at a retailer that is doing minimal transactions. I believe the incentives or fines will show up in the near future for these smaller players, but may be appropriately adjusted. Based on many discussions with level 2-4 merchants, many of them are weighing the costs of continuing to accept credit cards vs. outsourcing to a service provider, or looking for creative ways to move away from the credit card game.
Time will tell how it all filters out. Bottom line, the credit card companies will need to decide how much risk they can accept to continue receiving revenue from the small players. Can you imagine a future where your credit card only works at level 1 and 2 merchants, and all others convert to a cash business? I can't... And I would imagine your average consumer that's never heard of PCI won't, either. That really goes against the marketing strategy we've seen in the past that says "accepted at more locations" or "accepted everywhere".
Posted by Security Consultant | April 24, 2007 9:40 AM
Posted on April 24, 2007 09:40
Interesting observations. If they play it right, they can bring the level 1 & 2 merchants into compliance and encourage the level 3 & 4 merchants to outsource up to the (now) compliant 1 & 2 merchants. Ingenious!
Posted by terlin | April 24, 2007 5:58 PM
Posted on April 24, 2007 17:58