New York City -- An overwhelming majority (86%) of small-business respondents (86%) say that keeping their customer card information secure and feel payment-card data security is important to their business. But 60% are unaware of the costs they could incur in the event of a breach. Those are among the results of a research study of data security and fraud-prevention strategies practiced at small- to mid-sized retailers. The study is from the National Retail Federation and First Data Corp.
While two-thirds (66%) of respondents to the survey claimed awareness of the Payment Card Industry Data Security Standard (PCI DSS), only 49% of respondents had completed a self-assessment at the time of the survey. Among those who had heard of PCI DSS; however, 42% did not know that merchants are obligated to conduct the self-assessment annually and 41% had not heard of the recent change in regulations.
The survey also showed there appears to be some confusion among retailers regarding the liability costs in the event of a data security breach. More than 60% of these smaller merchants did not realize that credit-card companies are authorized to fine their business a per-card fee for every card that has to be canceled if it is determined that they are the source of a data breach. According to the 2009 U.S. Cost of a Data Breach Study by the Ponemon Institute, the average cost for merchants coping with a data breach in 2009 rose to $6.7 million with the cost per customer record breached estimated at $204.
Restricting physical access to cardholder data and using anti-virus software were the two most frequently reported protection methods (76%). Other practices toward the top of the list were restricting access to cardholder data by business need to know (67%); developing and maintaining secure systems and applications (64%); and maintaining a policy that addresses information security (63%). Of those who electronically store cardholder data, 68% also take steps to protect that data and 53% use encryption technology.
More than 4% of respondents reported having been a victim of any one type of fraud listed in the survey. Although the percentage appears low, it equates to a potential one million small businesses being impacted. The latest Federal data estimates there are appro