86% of retailers that consulting firm RSR Research considers most successful say meeting payment security standards have at least some value. Meanwhile, 42% of laggards see no value in complying with such policies, a new study from the firm finds.
Leading retailers put more stock in payment security than less successful merchants, a new study from RSR Research LLC suggests.
In the poll, 86% of retailers that the firm classifies as winners say payment security standards put forth by credit card companies have at least some value. Meanwhile, 42% of those the firm labels laggards see no value in the policies.
The Study: Customer Data Security: PCI and Beyond, judges retailers by year-over-year comparable store sales improvements. The study considers retailers with above 3% growth as winners and those below that as laggards. Those with 3% growth are deemed average. PCI is the commonly used acronym for PCI DSS or Payment Card Industry Data Security Standard, a set of rules created by payment card companies outlining how card data should be used and stored. Both multi-channel and store-only retailers were surveyed.
Among the respondents 14% of winners and 42% of laggards saw little value in the standards, 57% of winners and 42% of laggards saw some value and 17% of laggards and 29% of winners saw great value.
RSR also conducted three case studies with merchants-all winners-about how they feel about complying with the security standards.
One merchant, which the study doesn’t identify, noted that meeting the program requirements is an important part of its brand promise to its customers. The merchant, which has more than six million cashless transactions each year, conducts annual tests to make sure it is PCI compliant and also tests its incident response plan annually. The biggest problems it had with meeting the standards were that security was not perceived as much of a problem by end users, lack of executive or board of directors support, and that the “price tag” to fixing the problem is hard to justify. The company notes that the upgrades were costly and required software and hardware investments.
However the merchant says the “BJ’s Wholesale and TJX breaches really helped us kick our own timeline into gear. When the fines came down, we started to get real response from even the most stubborn executives.”
The biggest difficulties the merchant had in upgrading its system were encrypting transmission of cardholder data, restricting access to data to only those who need it, and tracking and monitoring of data across the network.
“A lot of good things have come out of PCI for us,” the merchant says. For example, it improved its I.T. practices, revaluated how it stores data, and investigated whether it was storing data that it didn’t need. “It’s important to remember that for this organization, we would not have had such a beneficial and fixing experience if PCI DSS compliance had not been mandated,” the I.T. director of the retailers says.
“Since customer data security ultimately is an issue that can affect the company’s brand and its ability to execute on its business strategy, making discussion of the issue a regular agenda item for the Board of Directors is absolutely vital. Those retailers who’ve successfully demonstrated to their Board: a) what their current security practices are, b) where the dangers lie, and c) where their practices should be, have a far greater likelihood of driving home the fiduciary risk that surrounds non-secured customer-specific data,” the RSR report says.