Shoring Up Security
In today's multi-pay, 24/7 marketplace, security breaches have become almost commonplace. It seems that every day brings another report of hackers breaking into an unsuspecting business to steal credit card numbers and other sensitive customer information.
In the United States alone, criminal activity contributed to $3.56 billion1 in payment card fraud last year. And while the media's focus on major breaches may leave the impression that hackers have their sights set on big retailers, in reality, 90 percent of security breaches involve small merchants2.
Why? Because, smaller businesses typically don't have the resources to ensure the security of their networks and systems, and in many cases, don't believe they're at risk. To hackers, that makes them easy targets for a quick rip-off.
The result is a loss of reputation, fines, costs associated with rebuilding customer relationships, and for a growing number of small businesses, bankruptcy.
One of the most important things a small business can do to deter hackers is validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). This set of protective measures was developed by the major card associations and includes requirements for security management, policies, network setup and software design.
Compliance requirements for the PCI standard vary. Larger businesses (Level 1 and 2 merchants with more than 1,000,000 transactions and Level 3 merchants with 20,000 to 1,000,000 e-commerce transactions) have more requirements. For example, these merchants must file compliance reports, complete compliance questionnaires and system scans or undergo on-site assessments and receive validation of their PCI DSS status from a Qualified Security Assessor (QSA).
Level 4 merchants (those with fewer than 1,000,000 transactions) are not required to be PCI DSS validated — but if a Level 4 merchant experiences a breach, it must prove that its systems were PCI DSS-compliant at the time of the breach, or face hefty fines, potential litigation and other punitive measures.
Proving PCI DSS compliance after a breach can be costly. Requirements can include a forensic audit by an approved auditor to determine what happened and the extent of the breach — at a cost of up to $20,000.
Determining PCI DSS Compliance
The first step a small business should take to ensure PCI DSS compliance is to investigate the status of its third-party service providers, payment applications and PIN Entry Device (PED) devices. All should be PCI DSS compliant. Businesses should also make sure their processor/acquirer is PCI DSS compliant. Visa keeps a complete list of validated service providers, payment application software and hardware on its website at www.visa.com/cisp.
Qualified Security Assessors are available to help those who may be technology challenged. QSAs provide on-demand data security and PCI compliance solutions to help merchants determine if they are compliant, and if not, to determine what is needed to achieve compliance. The PCI SSC keeps a list of all qualified QSAs on its website at www.pcisecuritystandards.org.
1 The Nilson Report, November 21, 2011
2 Payment Card Trends and Risks for Small Merchants, May 10, 2011 supplement to Trustwave's 2011 Global Security Report