The third annual survey of level 4 merchant PCI compliance trends from ControlScan and Merchant Warehouse has been released – and not much has changed since last year’s report. Overall awareness of PCI DSS has risen amongst the merchants surveyed, whom we presume are comprised of different merchants surveyed in previous years. Fifty-three percent of merchants surveyed are either very or somewhat aware of the Payment Card Industry Data Security Standard, a six point increase from last year’s results.
Also notable (and somewhat more encouraging) were the findings that 64 percent of larger level 4 merchants (over 50 employees), 60 percent of merchants with over $250 thousand in annual card payment volume, and 65 percent of ecommerce merchants have all validated PCI compliance to their acquirers. The opportunity for raising awareness, though, is still one that ISOs and acquirers have yet to fully explore.
The full report can be accessed in the PaymentsJournal Library (link follows).
“The results of this year’s survey, compared to years’ past, show us that education and structured PCI compliance programs are helping large Level 4 and e-commerce merchants make strides in PCI compliance,” said Henry Helgeson, co-CEO of Merchant Warehouse. “Unfortunately, the results also show us that micro-merchants are either unaware of the PCI DSS or actively choose not to embrace data security or the PCI DSS, because they don’t understand the risks. Merchants’ lack of awareness makes them more vulnerable to hacker attacks on cardholder data and could lead to catastrophic financial losses.”
“We are encouraged by both the adoption and serious thought large Level 4 and e-commerce merchants are putting into their security posture and compliance, which we find directly related to the education and resources they receive on PCI compliance,” said Joan Herbig, CEO of ControlScan. “There is still a tremendous opportunity, however, for ISOs and acquirers to share that same education with micro-merchants in order to guide them through PCI compliance by setting stronger repercussions for non-compliance and establishing data security as an ongoing process.”