Carol’s Daughter sells hair and skin care products primarily to African-American women.
While merchants are aware of the Payment Card Industry Data Security Standard, or PCI DSS, retailers with the highest number of transactions are most likely to take the necessary steps to protect credit card data, according to Forrester Consulting.
While merchants are generally aware of the Payment Card Industry’s Data Security Standard requirements, merchants with the highest number of transactions are most likely to take steps to protect credit card data, according to a new report from Forrester Consulting, a unit of Forrester Research Inc.
Although 72% of Level 1 merchants (those processing more than six million transactions for a single card brand per year) said it was a “very high priority” to secure credit card data from breaches, only 45% of Pre-Level 2 merchants (those processing 750,000 to 999,999 transactions per year) defined protection initiatives in the same way, Forrester found.
“It’s clear that larger organizations are more mindful of the needs to protect cardholder data from security breaches,” says Jim Melvin, vice president of marketing and security solutions at RSA, The Security Division of EMC. RSA commissioned the Forrester study, “The State of PCI Compliance.”
More than half of the 677 merchants surveyed planned on spending between 2% and 4% of their 2008 I.T. budgets on credit card data protection, an increase from 2007 budgets.
When asked what factors are driving them to comply with PCI standards, 49% said they wanted to mitigate the risk of a data security breach. 43% cited pressure from credit card companies, followed by potential fines, 37%; pressure from management, 34%; pressure from acquiring banks, 33%; the desire for best practices, 23%; and pressure from customers and clients, 20%.
The study also found that 81% of merchants store credit card numbers and 73% store credit card expiration dates. In addition, 71% of merchants store credit card verification codes and 57% store magnetic-stripe data, practices that violate the PCI DSS standard.
The largest merchants are the ones retaining card data, according to Forrester. 94% of Level 1 merchants and 80% of Level 2 merchants retain credit card numbers. 89% of Level 1 merchants and 71% of Level 2 merchants store credit card expiration dates, while 72% of Level 1 merchants and 74% of Level 2 merchants retain card verification codes.
Forrester surveyed 677 merchants worldwide during July 2007 for the study.