According to a new study from enterprise security vendor Fortinet, conducted last month by Lightspeed Research, PCI compliance is far from ubiquitous among small businesses. The study found that 22 percent of small business retailers were not PCI-DSS compliant, and 14 percent were not sure whether or not they were compliant.
Chris McKie, Fortinet’s director of Corporate Communications, told eSecurity Planet that he was shocked that so many respondents were unaware of their network security posture and PCI-DSS compliance status. That said, he noted that some survey respondents might be network administrators who are not responsible for their company compliance efforts.
There are multiple versions of the PCI-DSS standard, with the most recent one being the new PCI-DSS 3.0 specification that came into effect on Jan 1. Because Fortinet’s survey was intended to be a high-level look at PCI compliance, it did not specifically ask about PCI-DSS 3.0 plans, McKie said.
As a matter of law, McKie said that PCI compliance is different than a state or federal legislative mandate. PCI compliance is enforced by credit card issuers such as Visa and MasterCard and not by the PCI Council that created the standard.
“The organizations we surveyed were asked whether they transacted credit card data. Those who do must be PCI compliant,” McKie said. “So our sample base of 100 SMBs should have all been required to be PCI compliant, as we would have rejected those retailers who would not be processing credit card data.”