Survey Says: Level 4 merchants lack understanding into PCI Compliance value

Patrick Turiano |

November 9, 2011

PCI Compliance

The results of the third annual ControlScan/Merchant Warehouse survey are out. And what they point to is a lack of education around PCI compliance among Level 4 merchants. It also shows these merchants are apathetic to the financial ramifications of hacker attacks on cardholder data.

The survey’s findings point out that the risk of financial loss isn’t a motivating factor in aggressively complying with PCI DSS for Level 4 merchants. Additionally, the survey’s findings identify that these merchants aren’t convinced that PCI will make their businesses more secure and little progress has been made in changing small merchants’ attitudes around PCI. The survey collected responses from 621 Level 4 merchants.

Despite some of the more alarming findings, our survey does reveal some positive gains, including:

  • More merchants in 2011 validated that they are PCI compliant than last year
  • More of these merchants can provide documentation to support completion of their self-assessment questionnaire
  • More merchants believe the PCI standard should apply to their business than in past surveys
  • More merchants are taking precautions and making necessary purchases to comply with PCI and enhanced data security

Much like last year’s respondents, this years’ are considered to be in the micro-merchant category, those merchants with one to 10 employees. The 2011 survey has more of them, however. When categorized by transaction volume this year’s respondents are in higher volume categories. This year the amount of merchants in the $101,000 - $250,000 category doubled – 28% this year compared with 14% last year.

Education and understanding of PCI among this group of merchants is almost non-existent. Among the survey’s respondents, 48 percent were either “unsure’ of the standard or “not at all” familiar with it. And just 18 percent were “very” familiar with it. Most shocking however was that most that filled out the survey didn’t proactively approach PCI compliance.

You can read the full survey here.