Ever since news of the Target breach broke a few weeks ago, everyone from security experts to concerned consumers have been hyper-sensitive to what’s happening in retail security. If it’s true that 110 million consumers had their financial account data compromised in that one breach alone, it’s no wonder many of us are fearful each time we swipe a debit or credit card at a merchant’s point of sale (POS).
If a breach can happen at Target – a large corporation with deep security resources – just think what could be happening at many smaller merchants who can’t afford the kind of resources of a Target, or a TJX, or a Neiman Marcus.
Now a recent independent U.S.-based survey sponsored by Fortinet and conducted by a division of Lightspeed Research gives us new reasons to fear the card swipe. The survey results are summarized in the Fortinet press release, “One in Five SMB Retailers Not PCI Compliant, Lack Security Fundamentals.” That title says it all, doesn’t it?
This survey involved 100 small and medium-sized (SMB) retail organizations with less than 1,000 employees. Presumably the study included some good sized regional merchants, not just your single-store mom and pop shops. Regardless of their size, if these merchants accept debit or credit cards from any customers, they are required to comply with the PCI DSS specifications.
The Fortinet survey found that:
- 22% of the surveyed retailers are not PCI DSS compliant, and an additional 14% don’t know if they are compliant or not.
- 55% of the surveyed retailers are unaware of the security breach response requirements of their state, and 40% lack any established policy adhering to those requirements.
- Many SMB merchants fail to employ strong security practices, such as policies to enforce password security. (The report did not specify a number or percentage of respondents in this category.)
- 15% of retailers offering free guest Wi-Fi access fail to enforce any kind of security policy on that service. (Recall that unsecured Wi-Fi was found to be a contributing factor to the massive TJX breach a few years ago.)
- 53% of retailers say they are managing and maintaining their own security infrastructure onsite.
Fortinet called some of these findings “eye-opening.” Unfortunately the eyes being opened don’t seem to be the merchants who may be putting their customers’ financial data at risk through their lack of security practices. (For all you freelance security consultants out there, here’s a good opportunity to land your next consulting assignment.)