I had the opportunity over the last several months to help launch a research study of PCI compliance among small (Level 4) businesses, and the findings from this study (a survey of 220 merchants) were just published this week. Frankly, It’s very difficult to get small businesses interested in PCI compliance at all (judging from low attendance at the webinars and events aimed at that market), and I wanted to use this research as a tool to understand why that is, and if anything can be done to raise awareness and motivate security improvements.
One of the first things about the study that surprised me was that two thirds of the respondents (65 percent) said that data security is a “high” priority and another 26 percent said it’s a “medium” priority. As a casual customer of many small businesses, I see business practices and POS technology that are shockingly unsecure. So the survey says that small businesses really do care about protecting customer data. Is it true? Maybe.
(Related Story: Survey: Level 4s Recognition Of PCI High, Understanding Of It Almost Nil)
One of the problems with multiple choice surveys is that it’s hard to present realistic tradeoffs to the respondents. You rarely see a question: “Which is more important? Spending $500 on a new network firewall or spending $500 to fix the delivery van?” But that’s the real issue. Data security may be a high priority in the abstract, but compared to “keeping the business running” types of concerns, it typically drops off the bottom of the list of things to spend money on. Why? Because small businesses do not believe they are going to have a data breach.
The small business survey also found 65 percent who said they have a low risk of a breach. Although some of them may be right in this view, most are not. Let me explain: There are small merchants and then there are “really small merchants.” Really small merchants are “mom and pops” running a single dry cleaning shop, using a dial up credit card terminal. Generally, mom and pop are pretty safe from a breach, because they are not running a server with a database of card data that’s connected to the Internet.They get to fill out PCI DSS Self-Assessment Questionnaire (SAQ) A. Only 11 questions and they’re done. But many small businesses don’t have it so easy. They have multiple locations, multiple (usually older) POS systems, a flat network, systems with default passwords, unsecured system configurations, and lots of employees who have access to confidential data they don’t need.
They are small businesses, with big business security problems. But they feel they are not vulnerable because they don’t have “lots” of credit card data. The problem is that the bad folks typically use automated attacks to find unsecured servers, websites and can insert malware. Another popular method of compromise is that malware is uploaded by unsuspecting employees who visit social networking websites and download “member generated content” from any of the millions of bogus accounts that hackers can create automatically on some sites.
Although larger (Level 1 and 2) organizations typically have tools in place to prevent this or isolate its impact, many small businesses do not, and are therefore much more vulnerable than they believe.
One of the by-products of making it easy for small businesses to report their PCI compliance through the use of the 4 SAQs is that companies often fill them out without actually doing all the things they should be doing. Wow, what a shock! To try to detect how prevalent these “false positive” self-assessments are, we asked the small businesses whether they would have the documentation to back up their SAQ findings. As we expected, 23 percent said they did not have the documentation, and another 22 percent were unsure they could prove that they are compliant if asked to do so.
The point is: merchants are often “liberal” (which, in this case, is bad) in how they answer their SAQs. This finding of companies taking liberties with their SAQs may be one of the reasons why MasterCard recently decided to force both Level 1 and Level 2 merchants to use outside QSAs. The point here is that security and payment professionals who want to help small businesses improve their data security must come to grips with the fact that even though 86 percent of small businesses say they are aware of the PCI standards, and 65 percent say that data security is a high priority, there continue to be fundamental factors, such as a low sense of risk, other spending priorities, and a simple-to-fudge SAQ process that will continue to hinder efforts to get small businesses to take the actions that will materially reduce their IT security risks.
Although I realize it’s possible to read the PCI and Small Business report and get a really positive sense that small business managers are starting to care about security and PCI compliance, I believe that contrasting supportive comments with actions taken is a reasonable, if cynical, analysis of the findings. If you’d like to learn more about our research on PCI and small business, or any other topic, please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about PCI and small business issues, just send me an E-Mail at [email protected].