The National Retail Federation (NRF), a retail trade organization, and First Data Corp., a provider of electronic commerce and payment processing, have released results from a research study of data security and fraud prevention strategies practiced at small to mid-sized retailers.
Most of the retailers surveyed had annual sales of less than $100,000. The analysis was revealed during the NRF Big Show 2011.
An overwhelming majority of respondents (86%) stated they care about keeping their customer card information secure and feel payment card data security is important to their business. But almost two-thirds (64%) believe that their business is not vulnerable to credit/debit card data theft and 60% are unaware of the costs they could incur in the event of a breach.
PCI Awareness and Liability
While two-thirds (66%) of respondents to the survey claimed awareness of the Payment Card Industry Data Security Standard (PCI DSS), only 49% of respondents had completed a self-assessment at the time of the survey. Among those who had heard of PCI DSS; however, 42% did not know that merchants are obligated to conduct the self-assessment annually and 41% had not heard of the recent change in regulations.
The survey also showed there appears to be some confusion among retailers regarding the liability costs in the event of a data security breach. More than 60% of these smaller merchants did not realize that credit card companies are authorized to fine their business a per-card fee for every card that has to be canceled if it is determined that they are the source of a data breach.
According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204.
Data Security and Fraud Prevention Strategies
Most of the specific data security and fraud prevention practices cited in the survey were familiar to the majority of respondents with several of the strategies already integrated into their business operations.
Restricting physical access to cardholder data and using anti-virus software were the two most frequently reported protection methods (76%). Other practices toward the top of the list were restricting access to cardholder data by business need to know (67%); developing and maintaining secure systems and applications (64%); and maintaining a policy that addresses information security (63%). Of those who electronically-store cardholder data, 68% also take steps to protect that data and 53% use encryption technology.
Experience with Fraud and Security Incidents
More than 4% of respondents reported having been a victim of any one type of fraud listed in the survey. Although the percentage appears low, it equates to a potential one million small businesses being impacted. The latest Federal data estimates there are approximately 24.6 million small businesses currently operating in the U.S.
Physical theft or tampering with terminals and computer viruses, including malware, were the top two fraud and security incidents experienced by respondents at 37% and 22%, respectively. Employee misuse or theft of card data accounted for another 17% of incidents.
“Our survey results illustrate that smaller retailers take protection of their customers’ sensitive payment card data very seriously and continue to add more layers of security to their business operations,” said Mark Herrington, senior vice president of Global Product Management and Innovation, First Data. “The finding we found most intriguing was the confusion around the potential liabilities in the event of a data breach. We’re confident that continued education in the payments industry will raise awareness of the importance of annual self-assessments and the right mix of data security and fraud prevention tools.”
Data from the Small Business Data Security Study was fielded online from Oct. 26 to Nov. 19, 2010. The majority of survey respondents (89%) represented less than $500,000 in payment card sales annually through both card-not-present (CNP) and in-person transactions. A total of 651 small and mid-sized merchants completed the survey.
