Small and medium businesses around the world are increasingly at risk for payment data theft. Nearly half of cyberattacks worldwide in 2015 were against businesses with less than 250 workers, according to cybersecurity firm Symantec. In order to help these companies protect themselves and their customers, the PCI Security Standards Council (PCI SSC) Small Merchant Taskforce has developed a set of payment protection resources for small businesses. In this series, we highlight security basics from the Guide to Safe Payments for protecting against payment data theft.
Don’t make it easy for hackers to get into your systems! The more people who have access to your computers and payment data, the greater your risk is as a business.
As a small business, you can’t afford to “absorb” losses like a large company so it’s crucial to make sure you’re minimizing opportunities for criminals to get into your payment system. One way to do this is by limiting who has access to your computers and customer payment data and ways in which it could be accessed.
Here are a few tips to keep in mind:
Limit access: Set up your computers to grant access only on a “business need-to-know” basis. As the owner, you have access to everything. But most employees can do their job with access only to a subset of data and applications. For example, consider giving employees access to take payments but not to process refunds. Allow them to take new bookings/orders but not to access payment card data related to an existing booking/order. Some employees should have no access at all. Assign every person a unique ID so the system can track their activity. Require use of strong, unique passwords. Do not allow sharing of user IDs or passwords.
Keep a log: Track all “behind the counter” visitors in your establishment, such as people who sell or service your payment terminals - vendors, maintenance and support providers. Include their name, reason for visit, and name of employee that signed off on the visitor’s access. Check this regularly for any unplanned or unauthorized activity.
Securely dispose of devices: Ask your payment system vendor or service provider how to securely remove payment card data before selling or disposing of devices used to take customer card payments via swipe, dip, insert, tap or manual entry of the card number.