A while back I wrote an article entitled "The Shocking Truth About Retailers & PCI" in which I shared the results of a retailer-focused survey. The gist was that retailers, particularly in the SMB space, apparently have a low level of knowledge concerning PCI and its related terms and concepts. This, despite mandates and requirements going back years. Shame on them, right?!
I went on to explain how this is a great opportunity for retail IT resellers to flex their trusted advisor muscles and offer guidance and wisdom to their customers.
But that's not the end of the story. Yesterday, in putting together a white paper on the state of PCI and the VAR, ISV (independent software vendor), and retailer ecosystem, I came across some interesting data from a Business Solutions survey which made me consider that lack of PCI awareness might not just be a retailer problem.
In the survey of Business Solutions subscribers, ISVs had some choice words for VARs (and merchants of course). Here are a just a couple quotes from ISVs:
"In all honesty, resellers that we encounter could care less about PCI compliance. I feel as if it is only us software companies that care. The industry is still to this day ignorant about the topic of PCI, which is unfortunate."
"The majority of our resellers do NOT care about PCI compliance. It blows me away, but it is true."
Despite such sentiments coming from ISVs, 87% of surveyed VARs indicated that they feel properly trained to discuss POS security with merchants. If that's true, what's going on here? Is this a case of VARs thinking they know more than they do? Or, do VARs not focus on, or speak with customers about PCI because they think that once a PCI-certified software is installed, the issue is in their rear-view mirror?
One additional nagging data point which may or may not be relevant: Business Solutions newsletters sent out with PCI in the subject lines perform horribly, having low open and click-through rates. It appears to me as if our VAR readers don't want to read about PCI. In fact, maybe this blog post is destined to be more of a diary entry, for my eyes only.
All this leaves me wondering, who cares about PCI? Clearly, ISVs are forced to care. But the rest of the ecosystem -- VARs and merchants -- I'm not sure they do.