The question we field more than any other when talking to small merchants is, “Who is making me become PCI compliant?” The answer is too complicated to simply point at one entity and say, “It’s this guy, right here.”
In a few states, elements of PCI are law, but for the most part, Level 4 merchants (the smallest merchant type that makes up over 95% of all businesses) do not have to prove their PCI compliance to anyone. Some acquiring banks are running a program with their smaller merchants and forcing them to validate, and the credit card companies have dictated that all merchants must be PCI compliant at all times, even if they only accept a single credit card per year. However, the credit card companies are not currently forcing the merchants to prove their PCI compliance. The issue only comes to a head when a breach happens.
If a merchant loses credit cards, then the whole game changes. The acquiring banks, credit card companies, and law enforcement will be much more interested in seeing proof of PCI compliance. At that point, the merchant involved will need to prove that not only are they compliant at the time of the investigation, but that they had been compliant before the breach occurred. Merchants who have been lax in their compliance will face potential fines, penalties, and other sanctions from the credit card companies. The cost associated with this phase of a breach can easily run into tens of thousands of dollars with $35-50K being the average for a small merchant.
More important than the actual fines is the loss of business. When people learn that their credit card was stolen when they shopped at a particular location, they tend to avoid that location in the future. There are numerous retailers who have lost too many customers to stay in business after the public learned of their breach. With a recent restaurant breach in Texas, the proprietor of Flores Mexican Restaurant, is asking the public to forgive him and come back to his business. By his own estimates, he has lost 15% of his revenue after hackers managed to steal credit cards from his point of sale system using malware, malicious software.
Small businesses are a prime target for hackers, and you should never believe that you are too small to be noticed. If you do not take security seriously, it is only a matter of time before you are a victim. It is always easier to keep a customer than to regain the trust of one. If you are a merchant and you are deciding to wait until someone forces you to be compliant before doing anything, then conservatively you should project at least a 15% loss in revenue. Hackers are not going away, and ignoring the problem makes you a prime target.