Society of Payment Security Professionals - Payment Security Blog

Small merchants cannot ignore PCI compliance

We took a lesson from Scoble’s playbook and posted our phone number and email address on the blog for people to call and ask questions directly.  Sometimes questions come in from people wanting to know about one thing over another (i.e. virtualization, PA-DSS, etc.) but mostly it’s smaller merchants who have no idea what PCI compliance really means.

Where do I get more information?

If you want to read no further, I’ll say the best way to learn more about PCI compliance is to educate yourself by learning about it.  Click here for online learning and courses.  The reason I recommend eLearning is because some small merchants are being coaxed into filling out a questionnaire that does not pertain to them at all.

Here’s a real story

I received a call from Mike the Merchant who just started taking credit card payments and has only one POS terminal.  It’s a stand alone, dial-out only, hardware device that does not store any cardholder data and is not connected to the Internet.  You know the same kind you see in small stores and laundromats all around the world.

One day he received a deduction from his deposits in the amount of $130 for “PCI compliance”.  He called up his gateway and found out it was an automatic charge for an online form he had to fill out.  He filled out the form and it turned out he failed compliance.  Why?  Because when asked “do you have a bonded company take your backup tapes off-site” he said “No” because it did not apply to his business.  So he called the gateway back and they said to “Fill out YES to every question so you can pass.”

I don’t understand why companies think that filling out a questionnaire in the absence of real risk management is going to address real compliance numbers or reduce the risk of fraud.  What we need to do is empower merchants through education, so they can help manage the risk instead of just making them disillusioned by giving them a survey that does not apply and telling them to answer YES.

Empowerment

The thing is, small merchants do not care about information security or compliance so why are we trying to teach them these concepts?  What they care about is risk and financial loss.  The $130 charge on his bill caused Mike the Merchant to go online and read up on PCI and educate himself.  If he knew the real risks to his data and could quantify that, he would be in a better position to help protect that data.

Empowering individuals with information will always bring about better results than keeping them in the dark or confusing the message.  In addition to just elevating their understanding, the merchant’s processor should see education as a method of selfish altruism.  Once empowered and educated, the merchant cannot claim ignorance if they are compromised.

I’m a strong believer in telling people the facts: risks, costs, benefits, and methods.  A war is not fought by keeping your soldiers in the dark.  Tell them the mission and let them lead the charge.