NRF and First Data release small business data security survey

New York City -- An overwhelming majority (86%) of small-business respondents (86%) say that keeping their customer card information secure and feel payment-card data security is important to their business. But 60% are unaware of the costs they could incur in the event of a breach. Those are among the results of a research study of data security and fraud-prevention strategies practiced at small- to mid-sized retailers. The study is from the National Retail Federation and First Data Corp.



While two-thirds (66%) of respondents to the survey claimed awareness of the Payment Card Industry Data Security Standard (PCI DSS), only 49% of respondents had completed a self-assessment at the time of the survey. Among those who had heard of PCI DSS; however, 42% did not know that merchants are obligated to conduct the self-assessment annually and 41% had not heard of the recent change in regulations.



The survey also showed there appears to be some confusion among retailers regarding the liability costs in the event of a data security breach. More than 60% of these smaller merchants did not realize that credit-card companies are authorized to fine their business a per-card fee for every card that has to be canceled if it is determined that they are the source of a data breach. According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204.



Restricting physical access to cardholder data and using anti-virus software were the two most frequently reported protection methods (76%). Other practices toward the top of the list were restricting access to cardholder data by business need to know (67%); developing and maintaining secure systems and applications (64%); and maintaining a policy that addresses information security (63%). Of those who electronically store cardholder data, 68% also take steps to protect that data and 53% use encryption technology.



More than 4% of respondents reported having been a victim of any one type of fraud listed in the survey. Although the percentage appears low, it equates to a potential one million small businesses being impacted. The latest Federal data estimates there are approximately 24.6 million small businesses currently operating in the United States.



Physical theft or tampering with terminals and computer viruses, including malware, were the top two fraud and security incidents experienced by respondents at 37% and 22%, respectively. Employee misuse or theft of card data accounted for another 17% of incidents.



"Our survey results illustrate that smaller retailers take protection of their customers' sensitive payment card data very seriously and continue to add more layers of security to their business operations," said Mark Herrington, senior VP global product management and innovation, First Data. "The finding we found most intriguing was the confusion around the potential liabilities in the event of a data breach. We're confident that continued education in the payments industry will raise awareness of the importance of annual self-assessments and the right mix of data security and fraud prevention tools."



The majority of survey respondents represented less than $500,000 in payment-card sales annually through both card-not-present (CNP) and in-person transactions.