The Council has just published a set of payment data protection basics for small businesses. Why now, and how will these resources help stem the tide of cyberattacks and data breaches?In this blog post with Chief Technology Officer Troy Leach, we look at these questions and more.
Download the above infographic here.
Why is the Council publishing resources for small merchants?
Troy Leach: Small businesses around the world are a magnet for cybercriminals who are using automated tools to find easy-to-exploit opportunities. With global migration to EMV chip technology, and increased prevalence of sophisticated point-of-sale (POS) malware, data security has become an issue for companies of all sizes. This is a great opportunity to empower small merchants to better protect themselves against increasing threats through awareness of how payments work and how to minimize risk of exposing their customers' cardholder data. One of the biggest challenges they face is that so much of what’s out there right now is just too complex for the small business and quickly falls back to unnecessary acronyms or technical details. With the small merchant payment protection resources, we’re providing simple, easy-to-use information as a starting point for small businesses to protect themselves and their customers.
How do the new small merchant resources fit with the PCI Data Security Standard (PCI DSS)?
Troy Leach: Most small businesses have never heard of the PCI Data Security Standard (PCI DSS), let alone read it. If they did read it they probably would need a background in both information security and payment processing to best understand the requirements. The Guide to Safe Payments focuses on areas in the PCI DSS that cover the common security gaps leading to small merchant breaches. Additionally, the guide provides tips about solutions such as secure payment terminals, encryption, and tokenization that can help reduce a small merchant’s risk. With simple language focused on business risk, it’s designed to help small businesses understand what they need and why, while also helping banks and technology providers that do understand PCI DSS to communicate it more clearly to their merchant customers.
How should these resources be used to improve small merchant payment security?
Troy Leach: Small merchants often rely on their banks and their technology vendors for information on what’s needed to take card payments. For security to become a priority, it has to be part of that dialogue. That’s why we’ve worked closely with banks, associations, security professionals and vendors on these resources to make them useful and relevant for the regular interactions they already have with their small business customers. To be effective, the partners that small businesses work with every day have to integrate these security messages into their merchant programs. For example, the payment diagrams can be walked through with small merchants so they can see the kind of payment setup they have and understand the risks and protections most relevant to them. We’ve tried to make this as easy as possible by creating resources that can be used in both digital and print formats, and housing them on a dedicated section on our website with step-by-step instructions for downloading and distributing the information.
What’s the key to small businesses protecting against data breaches?
Troy Leach: My experience is that small business owners want to do the right things to protect their customers. But businesses can’t protect their customers' data if they’re not aware of what they can do to help improve security. Education is the critical first step. Some of the most impactful changes a small business can make to protect themselves from a data breach are relatively simple steps. For instance, a significant factor that contributes to many small merchant breaches is so basic – not changing vendor default passwords. Yet most small merchants don’t know how to, or even that they need to, change these passwords. As an industry, if we can help these companies understand their risk, security basics to protect against payment data theft, and where to go for help, we’ll have made a substantial shift in cardholder data security for the entire payment ecosystem.
What’s next for the PCI Small Merchant Taskforce?
Troy Leach: The cross-industry group will continue to promote the use of these small merchant payment protection resources and monitor adoption and feedback in the market, looking specifically at other uses and opportunities for adding to them. Additionally, the taskforce plans to explore e-commerce more closely and evaluate what specific resources might be effective for this growing sector.
