The PCI Security Standards Council (PCI SSC) Small Merchant Taskforce recently published a set of payment data protection basics for small businesses. In this blog post we talk with taskforce co-chair and Vice President, Payment Security (Third Party Risk) at Barclaycard, Michael Christodoulides, for his insights on payment security for small businesses. Barclaycard is a member of the PCI SSC Board of Advisors and as a provider of payment acceptance solutions, works closely with merchants globally.
Why are small businesses particularly at risk when it comes to data theft?
Michael Christodoulides: Small businesses are often economically rooted within their local communities, offering local knowledge, services and products with trust, integrity and value. Small businesses are usually commercially lean with limited budgets and seemingly endless demands on resource capacity, capability and budget. Successfully running a small business means every “pound/dollar/euro” spent keeping the business running has to earn its value and then some. Fulfilling customer needs and building trust is a priority. Unfortunately, experience has shown that data theft can have a significant adverse impact on small businesses. This is because a small business does not have the capacity and capability to absorb the extra work and cost that a data breach places upon a small business. In the event of a data breach, a small business will usually have to fund the costs of professional consultants, remediation work and any other costs associated with a data breach. In doing so, the small business is also losing opportunity time that could have been used to generate extra growth.
What are the major threats right now to these companies?
Michael Christodoulides: No matter the size of your business, if you have a presence on the internet/world wide web or a connection that uses the internet, then you are under attack from the criminal fraternity. Businesses need to do all they can to secure their business from cyber threats. Cyber threat simply means a threat from the internet. In the same way that a small business would ensure its cash till is not easily accessible, it should also ensure that those parts of its computer systems that it wants to keep private are not easily accessible from the internet. The PCI SSC payment protection resources for small merchants provide easy-to-implement security measures for small businesses to put in place.
In your work with small businesses, what are the biggest hurdles for them in taking data security seriously?
Michael Christodoulides: Actually, small businesses do take data security seriously. They have to because data in all their forms (e.g. financial, personal, product, customer, design) is the life blood of a small business. An issue that many small businesses have is that they do not have the in-house resources to be experts in all aspects of running a business. Small businesses rely on external expertise to simplify the complicated, and this is one of the reasons why this PCI SSC initiative to provide simple, easy-to-use guidance will be so beneficial to small business. The PCI SSC guidance is free at the point of use, and small businesses should find implementation simple and effective in mitigating risks associated with maintaining the security of cardholder payments.
How do you see the PCI Small Merchant Taskforce resources helping with this?
Michael Christodoulides: The role of the PCI SSC Small Merchant Taskforce is to simplify the complex and provide useful, implementable guidance. The small business will be able to use the guidance in order to implement security measures that are within its budget and technical capability. This helps the small business decide at which point it needs to seek assistance from capable specialists. There is also an easy to use “Questions to Ask your Vendor” guide, which will help small businesses ask informed questions. Every business model has its own jargon, which needs explaining in everyday language. The specially written glossary will help small merchants converse effectively with their potential suppliers. The PCI SSC small merchant payment protection resources help the small business take control by providing practical guidance that will contribute towards mitigating the risk of a breach in data security.
If you had to give one piece of advice to a small merchant on data protection what would it be?
Michael Christodoulides: Small businesses are particularly at risk from the costs and opportunity loss associated with a data breach. Therefore, small businesses should plan for the worst outcome and then put practical measures in place to prevent the worst outcome happening. Implementing the guidance published by the PCI SSC Small Merchant Taskforce will help a small business improve its data security practices and reduce the risk of data theft.