Troy Leach, Chief Technology Officer of the PCI SSC discusses how the Council is helping small merchants face threats to payment card data.
What are some challenges small merchants face when tasked with protecting their customers’ payment data?
Small merchants tend to rely heavily on third party partners to install the payment software and ongoing management of their solutions. Those third parties may or may not be aware of the need for good security practices or familiar themselves with how to implement controls such as those found in the PCI Data Security Standard (PCI DSS). Nor do many small merchants have the time to scour the internet for the latest security threats or even advancements in payment technology to reduce those risks. Even trying to find literature that is not overly technical or what security questions to ask their vendors can seem daunting.
How is PCI SSC addressing these challenges for small merchants?
PCI SSC is dedicated to help small merchants improve the security of their payment card data by creating educational material and suggested next steps to assess risk within a small business environment. That is why we created the Small Merchant Taskforce in 2015. Made up of cross-industry payment security experts, merchant groups and small merchant advocates, the Taskforce drew from their collective payment security and small merchant expertise to create the PCI Payment Protection Resources for Small Merchants. These resources aim to help small merchants focus on essential payment data security practices needed to protect payment data and reduce risk in their business environment. Today, we are announcing updated versions of these resources- retitled as PCI Data Security Essential Resources for Small Merchants to help address the current and evolving threats the small merchants face. These resources include:
- Guide to Safe Payments Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help.
- Common Payment Systems Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.
- Questions to Ask Your Vendors A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.
- Glossary of Payment and Information Security Terms Easy-to-understand explanations of technical terms used in payment security.
- NEW! PCI Firewall Basics A one-page infographic providing guidance on firewall configuration basics.
- NEW! Data Security Essentials Evaluation Tool An online tool that provides a way for merchants to conduct a preliminary evaluation of their security posture.
Can you tell me more about the Data Security Essentials Evaluation Tool?
We are very excited about the possibilities with this new tool. The Data Security Essentials (DSE) Evaluation Tool provides a mechanism for small merchants to better evaluate how they are addressing critical security risks for their specific payment environment. The DSE Evaluation Tool is an easy-to-use guide for small merchants, to help them identify their payment system and the related security evaluation form without over-complicating the process with very technical language. Based on the Common Payment Systems resource, this online tool and evaluation form provides a way for merchants conduct a preliminary appraisal to see where they stand with critical payment security practices. The tool allows the merchant to provide a more comprehensive answer, rather than just a ‘yes’ or ‘no’ to help them and their partners assess if there is adequate security for the type of payment acceptance they perform.
Can any merchant use this tool?
Any merchant can use the tool to see where they stand with the DSE security practices. The new validation tool can be accessed here. However, a merchant must contact the appropriate source, such as the acquirer or payment brand, to see if they are eligible to use the DSE Evaluation Tool for validation, and to obtain completion and submission instructions. Merchants can use the information from the tool as input when completing their official evaluation forms per their acquirer’s instructions.
How can merchants get started with this new tool?
Merchants are encouraged to first become familiar with the payment security basics set forth in the PCI Data Security Essentials Resources for Small Merchants. Merchants can review this resource for additional instructions and information about the DSE too. Acquirers can learn more with this resource.
Once a merchant completes the DSE Evaluation process, should they assume compliance with the Payment Card Industry Data Security Standard?
No. The PCI Data Security Standard is a much more in-depth evaluation of hundreds of data security requirements and testing procedures. Additionally, compliance is a separate matter and is managed by card brands and acquiring bank partners.
The DSE is a different approach to find the most common risks associated with small merchant environments. As identified in the Verizon Data Breach Investigations Report, the majority of breaches tend to be attacks that are simple to mitigate. The DSE helps to identify the greatest risks to a particular environment, how to address those risks and a tool that a small merchant can use to demonstrate their understanding and progress towards improved security practices.
Merchants must contact their acquirer to see if they are eligible to use the tool for validation, to understand what completion of a DSE Evaluation means, and for completion and submission instructions.
What additional resources does the PCI SSC offer to educate small merchants on payment security practices?
PCI SSC has a large library of resources- from infographics and blog posts to videos and webinars- all designed to provide accessible payment security information for merchants. All these resources live on the PCI Merchant Page. Additionally, the Council’s dedicated blog- PCI Perspectives- delivers up-to-date payment security news, guidance and insights from both PCI SSC executives and external security experts.