In this post, we get insights from Michael Christodoulides CISM, CISA, CRISC, Vice President, Security and Fraud Product Team, Barclaycard. Here he discusses his panel discussion “Simplifying Payment Security for Small Merchants” from the Europe Community Meeting in Barcelona.
You are a member of the Council’s Small Merchant Task Force. What are some of the main challenges small merchants face when trying to secure their customers’ payment card data?
Michael Christodoulides: Barclaycard recently published research regarding small business perceptions as they relate to cyber security. No business, whatever its size, is immune from the growing threat of cybercrime, or criminal activity carried out by means of computers or through the internet. For many smaller businesses, however, cybersecurity competes with a variety of other day-to-day concerns for time and resource – meaning it’s sometimes given low priority, in turn making small and medium-sized enterprises (SMEs) more vulnerable to a cyberattack.
Research from Hiscox’s The Cyber Readiness Report 2017 highlighted that nearly half (48 per cent) of smaller companies had experienced one attack or more in the last twelve months. Despite this, our own findings show that one in ten (12 percent) small businesses admit they have done nothing to prepare for the risk of a cyberattack, and are less concerned about the dangers than larger businesses. A study from the UK Government’s Cyber Security Breaches Survey 2017 further highlights this misconception: it found that 39 percent of micro and small businesses with no governance or risk management measures think they are “too small or insignificant for cybersecurity.” By underestimating the risk of a threat, SMEs could make themselves an easier target for criminals online.
SMEs are constantly grappling with conflicting demands on their finances, meaning that, for many, staying safe online falls down the agenda. Research from Barclaycard, for example, found that 27 percent of SMEs spend less on cybersecurity now than they did a year ago.
Faced with squeezed budgets and limited funds, it’s crucial that small businesses are smart in how they use their resources, seeking partners with multiple areas of expertise. For example, SMEs can receive the added support they need without a huge cost attached by bringing in cybersecurity specialists from a supplier they already use, such as their payment provider.
When asked why they don’t think they need to invest in online security, over a third (35 percent) of SMEs said it was because they feel their business works well as it is. While this may be true in the current environment, cybercrime is constantly evolving. Without staying abreast of new developments, today’s security measures may not be fit for the future.
At the very least, small businesses should ensure they meet the minimum requirements for security as set out by the PCI Security Standards Council, an industry body which also offers resources specifically for SMEs. Another fast and easy way to stay informed is through the Business Fraud Prevention pages on Barclays’ Digital Safety Hub, launched earlier this year to encourage businesses and consumers alike to fight back against fraudsters.
To take protection to the next level, small businesses should start or continue having conversations with their suppliers. Many will have experts who can provide insight into the latest threats and solutions. Added support could give SMEs greater peace of mind – and ultimately, the freedom to focus on their business.
Small businesses face immense pressure to keep up with competitors of all sizes. This is all the more challenging in an uncertain political and economic landscape, with shifting consumer preferences and new technology that continues to develop at pace.
Against this backdrop, it’s imperative that SMEs find accessible ways to ensure they – and their customers – can feel as confident as larger businesses about their cybersecurity. The benefits are clear: a quarter (25 percent) of SMEs who have invested in this area say they have experienced less fraud, while 12 percent have seen an increase in customer satisfaction.
SMEs should move away from the ‘it won’t happen to me’ mind-set because, no matter its size, any business is at risk. Taking action to increase cybersecurity can seem daunting – but with a little time and some expert help, it may be easier than they think.
The PCI SSC has published payment security best practices and these can be found in the PCI SSC publications Guide to Safe Payments, Common Payment Systems and Questions to Ask Your Vendors. All these are available online on the Council’s newly-launched page for merchants.
Small merchants often rely on third party partners to securely install and maintain their payment systems. What are some challenges when it comes to relying on third parties?
Michael Christodoulides: The market is full of products offering all manner of solutions for a variety of cybersecurity issues. While they all have their place, the challenge for SMEs is to find the right security products and services for them.
It’s a confusing space for a small business owner who typically will not have a strong background in cybersecurity and threat management. That’s why we recommend they partner with an expert to identify what’s appropriate for them.
At Barclaycard, for example, we not only provide payments but also the back-end security systems and expert advice to keep customer and business data safe. Small business should work with providers that offer multiple services, such as Barclaycard, that do payments, know about security and innovation. This reduces the need for multiple vendors and by having expertise in multiple areas in one supplier this can also be a cost saving and a way to stretch your budget. The PCI SSC publish an excellent guide titled “Questions to Ask Your Vendors” and this will help small business evaluate whether their proposed vendor understands how and why cardholder data should be protected from theft and exposure.
What can third parties do to better educate small merchants on secure payment card practices?
Michael Christodoulides: All industry stakeholders have a role to play in securing cardholder and if we all play our part and implement the security basics then this will help mitigate the likelihood of a breach in payment security. Third parties exist in the value chain because they offer a service that would otherwise be too expensive or complicated for an individual small business to install themselves. The security basics are just as important for a third party to apply and promote as it is for the merchant. The third party is often the trusted partner to the merchant and this enables third party to promote good security practice and promote the security basics described within the PCI SSC publications, “Guide to Safe Payments”, “Common Systems” and “Questions to Ask Your Vendors”.
Now that the Council’s Small Merchant Task Force is in its second year, can you talk a little bit what the group is working on to help merchants with their payment security?
Michael Christodoulides: The Taskforce comprises some 80 global participants who work collaboratively to produce effective security best practices that are applicable in the context of a number of payment systems. Small merchants face the same threats to their payment and cyber security as do larger merchants. Small merchants need the help of payments industry stakeholders in order to understand how to counter the most common threats that can impact the security of cardholder data.
This is the second year of the Taskforce and during this year participants have been working towards simplifying the payment security validation process for small merchants. Experience has shown that existing Self-Assessment Questionnaires (SAQs) can be difficult for small merchants to understand. This year the main focus of the Taskforce has been about preparing an alternative validation process which is based on the security basics described in the Guide to Safe Payment and Common Payments Systems publications. This sounds easy to do but in practice it has meant a complete review of common payment systems controls, the security threats these systems face and the security controls necessary to mitigate these threats. Then this has to be represented in a way in which the small merchant can comprehend and accurately report upon without diluting the security reporting of the existing SAQ reporting structure.
An outstanding feature of this work is the way in which Taskforce participants, ably led by Lauren Holloway of the PCI SSC, have freely shared their knowledge, expertise and insights both diligently and with due respect for the different areas of expertise of individual Taskforce members. Simplifying payment security validation will be beneficial to small merchants because it will help small merchants focus on growing their business safely and securely.
The PCI SSC and its Taskforce are working towards publishing the simplified security basics validation during the first half of 2018.
What are you most looking forward to at this year’s Europe America Community Meeting?
Michael Christodoulides: PCI SSC Community Meetings are excellent opportunities to meet with industry stakeholders in order to learn about what’s new in payment security and how we can work proactively to keep the criminals from accessing cardholder data. There are so many great sessions, I know I will be challenged and disappointed if I fail to attend as many as possible because the breadth of learning available is considerable. Ranging from management practices and what to do in a crisis through to detailed security controls and the state of payment security in the 21st century.
The Small Merchant Taskforce does have a panel session running on the Wednesday afternoon during which Taskforce representatives from Sysnet Global Solutions, Suresite and Barclaycard will be speaking on behalf of the Taskforce. I am truly excited to hear about some of the real experiences that small merchants have to face every day because as industry professionals we have a continued duty to simplify the comprehension of payment and cyber security for small merchants. I know Taskforce participants, including Barclaycard, are working hard to make this happen.
Networking always a key component of PCI SSC Community meeting and what better way is there to network than to join the Small Merchant Taskforce at breakfast on the Wednesday morning of the Community Meeting in the Vendor Showcase from 07:30 till 09:00. Meeting up in person with Taskforce colleagues whom I often only converse with over the telephone or email is going to be an excellent start to the day!
Enjoy the Community meeting and don’t forget to share the published materials of the PCI SSC and its Small Merchant Taskforce resources specifically for SMEs.