Small retailers still lag on PCI security compliance

Which is more troubling: the fact that one in five SMB retailers still aren't PCI DSS compliant or that another 14 percent of them don't know?

Given the details that keep creeping out about Target's big data breach last November, I can only imagine the booth and meeting conversations that technology vendors are going to have about privacy and security this week at the big National Retail Federation trade show in New York.

Still, I wasn't all that surprised to read the results of a recent survey by Fortinet focused on assessing the security readiness of small retailers: It turns out that one in five of them (yep, 20 percent) still are not compliant with the PCI Data Security Standards that they are supposed to be applying to their point of sale (POS) technology.

Another 14 percent of 1,000 retailers surveyed aren't sure of their status, according to the Fortinet data.

"This survey was eye-opening for us," said Patrick Bedwell, vice president of product marketing for the security company, said in a statement. "Despite looming threats and stiff compliance penalties, more than a fifth of SMB retailers are still not PCI-compliant, while many are falling short of security best practices like password safety."

The survey was conducted on behalf of Fortinet by GMI, a division of Lightspeed Research. It included retailers with fewer than 1,000 employees.

Here are some of the other high-level findings:

  • 55 percent of the respondents WERE NOT familiar with their state's security breach requirements
  • 60 percent DO have password protection policies for their store's Wi-Fi network, and they enforce them 
  • 40 percent DO NOT require employees to change passwords
  • 29 percent DO NOT have a data disposal policy (while another 12 percent of the respondents weren't sure)

As more small businesses invest in tablet-centric POS solutions , I can't help but wonder whether this will exacerbate the situation or set more retailers on the right path to better security. At the very least, it should prompt more of them to boost their awareness level.