In this post, we get insights from Jenna Hutt, Retail Technology Specialist, Rocky Mountain Chocolate Factory and member of the PCI Small Merchant Taskforce. Here she discusses payment security challenges small merchants face and resources to help.
You are a Retail Technology Specialist for Rocky Mountain Chocolate Factory. Can you explain what your role is within your company as it relates to securing payment card data?
I work with our technology partners to insure that they are providing secure, effective technology options for RMCF stores. To become an approved technology vendor, following the PCI DSS is of paramount importance. I educate our franchisees about PCI DSS and simple security solutions they can take into their stores to help protect card data. I am able to talk to a franchisee about technical concepts in nontechnical language so they understand the concepts being covered. Giving the franchisees effective tools and solutions they can implement in their store without spending the majority of their annual sales revenue is important to me because it keeps our brand out of the news from a breach perspective.
What are some of the main challenges small merchants face when trying to secure their customers’ payment card data?
The main challenge small merchants face when trying to secure their customers’ payment card data is that a small merchant does not have the time or financial resources to invest in becoming compliant. A small merchant that processes 25,000 transactions per year is not making enough profit to invest thousands of dollars a year on security solutions that would allow them to check yes on an SAQ. The current state of changing technology makes a small merchant wary about investing money into a solution that solves security challenges today and then requires upgrades and new equipment purchases tomorrow to stay secure.
Small merchants often rely on third party partners to securely install and maintain their payment systems. What are some challenges when it comes to relying on third parties?
A small merchant having to rely on third party partners is often how they are able to have technology in their stores, but the challenges are: How does a small merchant know that they have found a reputable company to partner with? Small merchants are going to be motivated by cost effective solutions but that doesn’t always correlate to the option that provides the most security. A third party company can tell a small merchant that they are “fully PCI compliant” but unless the small merchant knows how to verify that this statement is true, they are only taking the sales person’s word for it. The Questions to Ask Your Vendors document is a wonderful tool for small merchants to know what to ask and how to verify their payment system is securely installed.
What can third parties do to better educate small merchants on secure payment card practices?
The small merchant is looking for solutions that provide the best functionality and ease of use for the cheapest amount of money. Security is generally not the small merchant’s primary concern. Third parties can help by only offering solutions that secure payment card data because the small merchant is not going to choose something more complex and expensive just for security’s sake unless they are forced to or it is their only option. Third parties that are installing payment solutions for a small merchant talk about being fully PCI compliant just as readily as a small merchant can check the boxes on an SAQ without actually achieving compliance. Third parties can offer cost effective security tools that are explained in nontechnical language to get the small merchant’s attention that they need to be using a secure solution.
Cross-industry collaboration is critical to secure the payment landscape which is why groups such as the PCI Small Merchant Taskforce are so important. As a member of that Taskforce, can you tell me a little bit more about this group?
The PCI Small Merchant Taskforce is a diverse group of stakeholders representing merchants, banks, processors and vendors worldwide. Each member has a different view of the small merchants and the technology and tools they use. Together we have been able to craft materials that simplify data security and PCI DSS compliance for small merchants. The combination of knowledge in the areas of security, technology and how a small merchant operates has created a powerful set of tools for the small merchant.
Can you talk a little bit about the recently updated small merchant resources?
The Council’s Small Merchant Taskforce recently updated four documents that are very helpful educational resources for small merchants. Updated to address the current payment threat landscape, The Guide to Safe Payments, Common Payment Systems, Questions to Ask Your Vendors and Glossary of Payment and Information Security Terms documents are all written specifically for a small merchant that does not have an IT staff to help with the technology and security in the store. The documents are meant to be used together so a small merchant has an understanding of what type of payment system they have and where potential risks could be in their system. Once there is a broader understanding of what they have, they can take actionable steps listed in the documents to improve their security without having to spend precious time and money that could be focused on the delivery of their products and services. It has been a pleasure being on the task force and working with so many intelligent people to create useful tools for small merchants.
In addition to these updated resources, the Taskforce recently announced the launch of the Data Security Essentials Evaluation Tool for Small Merchants. Can you tell me a little bit more about this tool?
The Data Security Essentials Evaluation Tool allows small merchants to identify their specific payment system and review the risks, threats and protections associated with their environment. Designed so that small merchants can complete it their own, the evaluation form is useful for small merchants that do not have an overly complex payment environment. The security questions and steps on the evaluation form focus on the critical and actionable steps small merchants can take to secure their payment environment.