Can MSPs Bridge the PCI Security Awareness Gap?

It looks like the Payment Card Industry (PCI) Data Security Standard could use an awareness campaign. Could the apparent gap in PCI understanding create an opening for MSPs dealing with retailers or working in the security field?

Verizon recently reported that nearly 80 percent of the companies it studied failed to meet the Payment Card Industry (PCI) Data Security Standard. The company found that even organizations that previously hit the PCI target had a difficult time “sustaining the efforts required to be compliant year after year.”

Now comes a study that suggests about half of small retailers lack even basic knowledge of the PCI standard. ControlScan and Merchant Warehouse conducted a survey of more than 600 Level 4 merchants — the smallest merchants as categorized by Visa — and discovered that 48 percent were either “unsure” of the PCI benchmark or “not at all” familiar with the standard. Eighteen percent of the respondents described themselves as very familiar with the standard.

The awareness gap leaves small merchants vulnerable in a couple of ways. Card brands such as MasterCard and Visa requires any merchant that stores, processes, or transmits credit card data to achieve PCI compliance. Fines could be in the works for those who fail to comply. But the greater pitfall lies in failing to adopt and adhere to a security regimen. Data loss and damaged reputations await.

Small companies, in general, need to boost their protection. Julius Genachowski, chairman of the Federal Communications Commission, took up the small business vulnerability topic at a recent Washington, D.C. computer security event.

“With larger companies increasing their protections, small businesses are now the low hanging fruit for cyber criminals,” Genachowski said.

Awareness Levels Differ

The ControlScan/Merchant Warehouse study, released earlier this month, revealed differences in the level of PCI awareness among Level 4 merchants. Merchants with 51 or more employees were considerably more up to speed on PCI compared with their micro-business counterparts. Seventy-seven percent were very or somewhat familiar with the standard and 79 percent said they consider data security a high priority.

Companies at the smaller end of the Level 4 sample — those with 10 or fewer employees — are clearly the ones needing the most help with PCI.

“Small merchants seem to be blissfully ignorant about the risks of a data breach,” the ControlScan/Merchant Warehouse report stated. “They need a wake-up call.”

The report noted that acquiring banks, companies that act as a intermediary between the card brands and the merchant’s bank, play a role in providing security advice. But MSPs could lend a hand here as well, particularly given the abysmal level of awareness among small retailers.

MSPs generally want to approach customers with something other than a strictly technical story. Why not start a conversation with your retailer customers on PCI compliance status and the rudiments of IT security? You could be doing your clients a favor and paving the way for managed security services as well.