Small business owners may be too ignorant to ever be PCI compliant. I recently participated in a webinar, a live seminar and a survey all aimed at small business, and all part of separate efforts aimed at building awareness about the importance of PCI compliance to small to medium size enterprises (SMEs). In each case, the presenters were struggling, trying to figure out just how “basic” to be when explaining PCI compliance.
Based on my experiences, the answer has to be “pretty darn basic.” For example, at the live SME-oriented seminar, after listening to 3 different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, I had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got me thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples:
We cannot forget that PCI is a whole different “Industry.” How many of us who are in one industry (e.g., retailing) can really be expected to understand the complex workings of another industry. When we throw around terms like “acquirer,” we cannot possibly expect anyone in retailing who isn’t the interface to the financial institution to either understand or care about what we’re saying. Furthermore, anyone who tries to explain the difference between processors and payment gateways in a webinar aimed at SMEs should expect that no SME (and few business or technical managers of larger retailers) actually gives a rat’s ass. What we should do is talk one-on-one to more SME managers and business owners; maybe the payment companies and technology providers who want to sell to SMEs should actually hire some ex-SME managers to help with their messaging.
Yesterday I was speaking with the VP of operations for a SME who recently received an email from their processor. It happened to be First Data, but it could have been any of a number of processors. She read me the E-mail, which said her company would be fined $25 per month until they prove they are PCI compliant. Her reaction was precisely the title of this paragraph.
Even though there was a vague threat in the E-mail about $500,000 fines if there were a breach, she didn’t take that seriously. The whole reason she called was to find out if any company was actually doing anything as a result of such letters, because the $25 per month fine was being taken as a “joke” in her company. The message here is that it’s all well and good to be “kinder and gentler” when it comes to doling out fines in these troubled times, but this level of fine is unlikely to convince anyone to do anything, even mom and pop.
Few things are more disheartening than to plan a party and invite a whole bunch of people, and then have only a few folk show up. Holding seminars and webinars aimed at telling SMEs about PCI is right up there. I’ve had many different technology companies and card processors ask me if there’s a set of issues that is more likely to put bodies in the seats than other issues.
Here are some suggestions drawn from our efforts over the past two years to add more SME focus to the PCI Knowledge Base research: First: Use case studies of real SMEs who are doing something about PCI compliance. Second, if you can’t get real companies to give you permission, use anonymous case studies. Third, don’t bother talking about the risk of a breach. Even though SMEs do get breached, the business owners don’t believe the statistics.
Again, stick with case studies. Fourth, use multimedia. The Project PCI DVD (and YouTube video) done by the Retail Service Providers Association (RSPA) that features, among other things, a tearful interview with the owner of Spanky’s restaurant, is still the most convincing argument for SME PCI compliance available anywhere.
Granted, it’s an old movie reference, but the importance of finding a new message or a new angle is critical for getting SME owners to pay attention. Since they don’t believe they are vulnerable to breaches, and the level of the current SME fines wouldn’t scare anyone, a relatively new appeal is the focus on outsourcing the whole problem. Any service or tool that can help SMEs shift as much of the compliance / security problem to a service provider is going to meet with a better reception than an appeal designed to scare the crap out of an SME owner into spending money on security technology.
The essence of the argument here is that whatever stupidity exists in the area of PCI is on the side of those (including me) who have tried to scare SME owners with threats of breaches or impress them with payment industry jargon and technical details they may not understand or draw on examples of much larger companies and their commitment to “strategic solutions.”
The key is to build empathy for the SME view by talking personally to as many as possible, then weave these discussions into whatever PCI or security message one wishes to aim at the SME market. We’d love to talk about this with SMEs or others interested in this market. For more on this, please visit the PCI Knowledge Base if you want to view our research. If you want to have a personal discussion about PCI and SME issues, just send me an E-Mail at [email protected].