Small and medium businesses around the world are increasingly at risk for payment data theft. Nearly half of cyberattacks worldwide in 2015 were against businesses with less than 250 workers, according to cybersecurity firm Symantec. In order to help these companies protect themselves and their customers, the PCI Security Standards Council (PCI SSC) Small Merchant Taskforce has developed a set of payment protection resources for small businesses. In this series, we highlight security basics from the Guide to Safe Payments for protecting against payment data theft.
Did you know that the companies that support or service your business can actually put you at risk for data theft?
When it comes to protecting your business, confirming your vendors’, processors’ and service providers’ security is just as important as your own. It’s critical to know who they are and what security questions to ask them.
Here are a few tips to help you:
- Know who to call: Who is your merchant bank? Who else helps you process payments? Who did you buy your payment (point-of-sale) device and software from and who installed it for you? Who do you rely on for payment-related services? These might include:
- Payment (point-of-sale) terminal vendors;
- Payment software vendors;
- Payment (point-of-sale) system installers (called integrators/resellers);
- Service providers that perform payment processing or e-commerce hosting or processing;
- Service providers that help you meet PCI Data Security Standard (PCI DSS) requirements - for example, providing firewall or antivirus services;
- Providers of software as a service - for example, do you have any business processes or data “in the cloud”? If they access your business remotely, find out if they use unique credentials (log-in and password) for that access, ones that are used only for your business and not for any of their other customers.
- Keep a list: Once you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.
- Confirm their security: Is your service provider adhering to PCI DSS requirements? If you are an e-commerce merchant, it’s important that your payment service provider is PCI DSS compliant too!
- Ask questions: Once you know who your outside providers are and what they do for you, talk to them to understand how they protect card data. Use Questions to Ask your Vendors to help you know what to ask.