But the more important question raised in the report is whether those merchants have an unrealistic sense of how vulnerable they are to data breaches. The problem is that the report didn't sufficiently track who said what, making it impossible to determine whether any one merchant's appraisal was legitimate or not.
(Related Stories: In his column this week, StorefrontBacktalk PCI Columnist David Taylor—who happened to have been involved in the research for the NRF report—puts the survey results into a more meaningful context from a small business perspective. Also, our new Franchisee Columnist this week looks at PCI struggles from small merchants that are part of large merchant chains: The worst of both worlds?)
That perception is based on whether the question is meant to ask if Level 4s in general are at risk or whether the surveyed store is at risk. Some small retailers—especially the smallest mom-and-pops that may have minimal systems--are candidly not that much at risk depending on their transaction levels and security approach while others are at extreme risk.
The report draws no distinctions between an independent mom-and-pop and a franchisee using a national brand that might attract a lot more cyberthief attention. The person who headed up the report's research, Heather Varian Foster, the VP of marketing for ControlScan, said there are reasons—pro and con—for Level 4 merchants to be split into separate groups depending on likely exposure.
"I think that the PCI Council may have to start evaluating this group as not just one group. It's a group that really hasn't been scrutinized a whole heck of a lot," Foster said. But she added that it still might not be a good idea to split them: "You want to make sure that these businesses follow best practices. If we hold them to a different standard, that could be dangerous, too."
Some interesting notes from the report:
The largest slice (31 percent) was spending between $1 and $500 and the second largest slice (29 percent) spent between $501 and $5,000. One level down, equal-sized slices (each at 10 percent) said they were spending "nothing" and that they were spending between $5,001 and $20,000. An additional 8 percent said they had coughed up more than $20K and 12 percent admitted that they had no idea.
Given that the surveyed all accepted payment cards, the answers should have been "yes, it's mandatory." And that was the answer from a comforting 70 percent of respondents. The next largest slice (15 percent) said it was optional and 8 percent said that they were unsure. Our favorite answer: 7 percent said "neither." The question was "is PCI compliance mandatory or optional for your company?" Yes and No and "I don't know" make sense, but how could it possibly be neither?
"Still working on it" was the choice of 44 percent, "don't have the financial and technical resources" was the choice of 26 percent and "don't understand it" was the selection for 19 percent. Even better answers: "It's too hard" got five percent of the vote and "Don't care" got six percent.
The answers here were difficult to evaluate because respondents were allowed to check all that apply. Also, it's unclear if someone felt they didn't need to buy something because it is not necessary to have or because they already had it. That said, the top answers in sequence were "implement security policies and procedures" (not sure how that's an answer to "what did you have to purchase to meet PCI compliance guidelines?" but I digress), "conduct vulnerability scanning," "purchase security products (e.g., antivirus software, firewall, etc.)" and "implement security awareness training." Other answers were "upgrade out E-Commerce," "change our business procedures to stop storing credit card data after authorization," "purge all credit card data we were storing," "upgrade POS" and our personal favorite: "Nothing. Just complete the paperwork."