Small retailers still lag on PCI security compliance

Small retailers still lag on PCI security compliance

Summary: Which is more troubling: the fact that one in five SMB retailers still aren't PCI DSS compliant or that another 14 percent of them don't know?

TOPICS: SMBs, Security

Given the details that keep creeping out about Target's big data breach last November, I can only imagine the booth and meeting conversations that technology vendors are going to have about privacy and security this week at the big National Retail Federation trade show in New York.

Still, I wasn't all that surprised to read the results of a recent survey by Fortinet focused on assessing the security readiness of small retailers: It turns out that one in five of them (yep, 20 percent) still are not compliant with the PCI Data Security Standards that they are supposed to be applying to their point of sale (POS) technology.

Another 14 percent of 1,000 retailers surveyed aren't sure of their status, according to the Fortinet data.

"This survey was eye-opening for us," said Patrick Bedwell, vice president of product marketing for the security company, said in a statement. "Despite looming threats and stiff compliance penalties, more than a fifth of SMB retailers are still not PCI-compliant, while many are falling short of security best practices like password safety."

The survey was conducted on behalf of Fortinet by GMI, a division of Lightspeed Research. It included retailers with fewer than 1,000 employees.

Here are some of the other high-level findings:

  • 55 percent of the respondents WERE NOT familiar with their state's security breach requirements
  • 60 percent DO have password protection policies for their store's Wi-Fi network, and they enforce them 
  • 40 percent DO NOT require employees to change passwords
  • 29 percent DO NOT have a data disposal policy (while another 12 percent of the respondents weren't sure)

As more small businesses invest in tablet-centric POS solutions, I can't help but wonder whether this will exacerbate the situation or set more retailers on the right path to better security. At the very least, it should prompt more of them to boost their awareness level. 

Topics: SMBs, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • more troubling is that PCI is a joke

    especially at the price charged for getting compliant.
    When it first started it was pretty good - reasonable and easy to define. Now?
    How many of the retailers who got "hacked" this past quarter were not PCI compliant? Being PCI compliant means diddly squat.
    Use the original standards that the PCI put out and stick to them all the way, with no deviations or exceptions.