The results of the Small Merchant Data Security Survey, sponsored by First Data Corporation and the National Retail Federation, might leave consumers feeling a bit naked in the wind. The survey, which was conducted to assess the knowledge, behaviors and attitudes of small to midsize merchants regarding credit/debit card data security and fraud protection, according to the written report, revealed that only 53% of respondents rate their knowledge about card data security as average. The survey also found that 79% of businesses believed their data was secure, leaving another 21% of the 651 respondents who don’t believe their data is currently secure.
“People are bad about gauging risk,” said Robert McMillon, director of solution development for security solutions provider, RSA‘s, merchant solutions group. “We tend to prioritize things that are big and spectacular, and we underestimate risks that are more mundane.” McMillon added that businesses believe data theft can’t happen to them. “In fact,” he said, “the reality is it can happen to anybody.”
The survey also found only 31% of respondents performed background checks on employees who handle customer card data, a figure that Tim Horton, VP of business development at First Data Corporation, attributes to some people who are “generally bad at assessing risk. People think they’re a good judge of character. They think they can look someone in the eye and see into their soul.”
The report states that 4% of small merchants, or roughly 1 million small businesses in the US (assuming there are approximately 25 million small businesses) have already been the victim of data theft.
“Security is an expenditure you make to prevent something bad happening down the road,” McMillion said. “You spend on preventative things based on your expectations of something happening. But people in their mid-20s don’t buy life insurance because they don’t expect to die.”
The good news, according to the report, is that merchants are dedicated to protecting themselves and their customers. When asked if they cared about keeping customer information secure, 94% of respondents said yes. More than half of respondents have installed a firewall to protect cardholder data (53%) and 68% of merchants who electronically store data also take steps to protect the data, with 53% going so far as to use encryption technology. More than half of the respondents are aware of the requirement to notify customers about a breach, the potential of being sued by customers impacted by a breach and the possibility of losing their ability to accept Visa and Mastercard as a result of a breach.
Last year’s cost-per-breach for merchants who were victims of data breaches was $204 per record, according to a study released by the Ponemon Institute.
“National retailers can handle those costs but some small merchants would be put out of business,” said Tim Horton, VP of business development at First Data Corporation.
“We as an industry have to help people understand what the risk is associated with data theft,” McMillon said. “We’ve got to move against the tide where the industry currently stands and educate them to take reasonable precautions.”