The office supplies retailer say it sacrificed some sales to improve online profitability. It also redesigned its business-facing e-commerce site, StaplesAdvantage.com.
Their bricks-and-mortar counterparts tend to be more cavalier about PCI, a survey says.
Smaller online retailers are more likely to know about their responsibilities to secure payment card data than bricks-and-mortar counterparts, suggest survey results released this week by ControlScan and Merchant Warehouse, two payment services vendors.
The company based its findings on a survey of 630 merchants that typically process less than 20,000 annual e-commerce transactions or no more than 1 million payment card transactions total. Merchant Warehouse sells credit card processing services, while ControlScan helps merchants comply with the Payment Card Industry Data Security Standard, a set of data security rules backed by the major card brands.
The survey found that 60% of online retailers are aware of their PCI compliance responsibilities, compared with 37% of bricks-and-mortar retailers. 61% of online retailers said data security was a high priority, compared with 41% of bricks-and-mortar retailers.
The vendors explained the differences by saying that online retailers have a larger worry about the safety of card-not-present transactions than do retailers that are face to face with their customers. Overall, smaller merchants tend to rely more on their merchant banks and vendors to handle PCI compliance duties than do larger merchants, the two companies say.
The survey also found that the some larger Level 4 merchants—that was the retailer category the survey focused on—already have spent up to $20,000 to comply with PCI. Merchants that do not comply with the standard risk fines from acquirers along with the potential for bad press and unhappy customers in the event of a data breach. Level 4 represents the smallest merchants of the four categories of the PCI standard; merchants in Levels 1, 2 and 3 have more strict reporting and auditing responsibilities under the PCI rules.