Academic journal article Journal of Management Information and Decision Sciences

Small Business Compliance with PCI DSS

Academic journal article Journal of Management Information and Decision Sciences

Small Business Compliance with PCI DSS

Article excerpt


Americans love their credit and debit cards. Over 66% of all point of sale transactions involve a payment card (McCue 2013). Even though consumers want to use payment cards, only half of all small businesses accept payment cards (Dennis 2008, McCue 2013). Thus, almost half of small businesses do NOT accept payment cards. Of those businesses that do not accept payment cards, 58% are asked by their customers to accept payment cards (McCue 2013).

Those small businesses that start accepting payment cards have the opportunity to significantly increase revenues. Intuit research found that 83% of small businesses that start accepting credit cards saw an increase in business. Fifty-two percent of those increased revenues by at least $1,000 per month and 18% increased revenues by over $20,000 per month (Campbell 2013). Extending these numbers implies that small businesses could increase revenues by over $100 billion a year by accepting payment cards.

While small businesses can increase revenues by accepting payment cards, doing so comes with costs and risks. There is a cost to processing payment card transactions, but more importantly, there is the risk that customers' payment card data will be stolen. To reduce that risk, businesses must adhere to the Payment Card Industry (PCI) Data Security Standard (DSS). In general, small businesses do not understand information technology security, and they do not adhere to good security practices. A PWC survey found that 74% of the small businesses in the United Kingdom had a security breach in 2014-2105, that 52% do nothing to prevent against cybercrime and 85% have no plans to increase spending on security (Hugh, 2015). This mirrors a Symantec survey that found that 77% of small businesses in the US say they are safe from cyber threats and 83% have not security plan. Yet 40% of the cyberattacks Symantec prevented in 2012 targeted businesses with fewer than 500 employees (Symantec 2012).

In this paper, we seek to understand the degree to which small businesses understand and adhere to PCI DSS and what drives their compliance.


The Payment Card Industry Security Standards Council was formed in 2004 as a cooperative effort among card issuers such as Visa and MasterCard to develop a set of security standards to protect cardholder data (PCI Security, n.d.). This effort resulted in the PCI Data Security Standard (PCI DSS), a security standard for any entity that processes, stores or transmits cardholder data. The most current DSS standard--Version 3.1--was released April 2015 (PCI Security Standards Council, 2015).

The costs associated with achieving and maintaining PCI DSS compliance can be very high. A Gartner survey found large merchants spend on average $2.1 million to achieve PCI compliance (Gartner, 2011). Clearly this is not possible for smaller merchants. In recognition of this, the DSS categorizes merchants by the number of card transactions they have per year with the largest--Level 1--merchants having greater than six million card transactions per year down to Level 4 merchants with fewer than twenty thousand transactions per year (Mastercard, n.d.).


The PCI Council initially focused on helping Level 1 Merchants achieve PCI Compliance. Motivating these large merchants was probably made easier by the fact that some of the largest card data breaches in history occurred in 2008-2010 (Kerber, Ross, 2007; Sharp, 2008; Vijayan, 2009)--early in the history of PCI. These high visibility data breaches and the associated costs and bad publicity certainly highlighted to large merchants the costs of failing to secure their card data.

After a number of years these efforts appear to be paying off. The 2015 Verizon PCI Compliance Report found an 80% increase in the number of companies that are validated as PCI compliant (Verizon, 2015). Given this success, it appears the PCI Council and card issuing companies are now beginning to focus on improving the PCI Compliance of the smaller, Level 4 Merchants. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.