PCI DSSPCI Compliance Guidance for Small Businesses
Nearly half (47.1% in 2017) of the American workforce is employed by small businesses. And in many of those small businesses, customers use payment cards. It is the easy way to pay, plus there is risk with cash. So, its no surprise the Payment Card Industry Security Standards Council (PCI SSC) would take an interest in small businesses.
If you are a small business owner or employee responsible for the safety of your customers payment card data, I encourage you to explore the documentation provided below.
Located on the PCI SSC website, the “Guide to Safe Payments” document is the primary place to start. This guidance opens with the overarching reason I come to work every day, namely the risk of payment card fraud. They bring the risk to the forefront with statistics.
It grabs your attention when you see 50% of small businesses have been breached in the past 12 months and 61% of breaches hit small businesses.
This article provides an overview of terms, technology, and the steps involved in a payment system. Concepts such as payment terminals, encryption and information on ecommerce payment systems are presented. The guidance then plants the seed that complexity in your processes can result in risk to the payment cards. Risk that could allow for exfiltration by unauthorized persons of cardholder data resulting in a breach. Complexity makes it harder to reduce risk, which raises your inherent risk. Without reducing that risk, an organization is opening themselves up for liability, both financial and legal. The guidance then drives home the concept by showing examples of simple payment systems. A payment terminal and a phone line are compared to a complex payment system such as an e-commerce site or in-store systems that have many connected parts. Which one do you think has more risk?
Now that they have your attention, the next section is “Protect your business with these security basics.”
It is a well-done data security program overview that has its roots in the PCI DSS. There are 12 security basics presented, with details. A great place to get started, they break down each security remedy by cost, ease (to implement), and risk mitigation. For instance, “Use strong passwords and change default ones,” is shown with low cost, low ease to implement and high-risk mitigation. Compare that to “For the best protection, make your data useless to criminals,” that has high cost and ease to implement, but also has high risk mitigation. Both controls will make you safer, but the former is much easier to implement and pay for than the latter.
Each of the 12 security remediation’s is then broken down into lower-level detail. In “Use strong passwords and change default ones,” the guidance presents “what is a password”, typical default passwords, a statistic that “65% of SMBs that have a password policy do not strictly enforce it.” Password management is presented as are links to external infographics and videos found on the PCI SSC website. Each of the 12 security principles is broken down like that.
A glossary of payment and information security terms is also provided.
Using it, small businesses can get an understanding of terms used in payment security. Like all things IT, understanding the terms used is half the battle.
Moving on to other guidance, “Common Payment Systems” is an infographic document. Released at the same time as “Guide to Safe Payments,” it provides guidance to help small business owners determine what kind of payment system they have, risks to that system and steps you can take to protect it. They break down the systems into “Types” by the methods to take payments. For instance, Type 1 and 2 is accepting payments using a standalone, payment terminal, where a Type 14 is accepting payments via a virtual terminal on the internet. Each type is shown in an overview, the risks involved, the threats and how to protect card data. The guidance has links back to the “Guide to Safe Payments” to explain the security protections.
Another infographic is “Questions to Ask your Vendors.” A supplement aimed at one important aspect of the small business experience. It is a given that a small business will have to use external service providers. Being so important, 15 questions are provided that small businesses can ask of their current or potential service providers. A negative answer to an applicable question, and the guidance recommends considering looking for another vendor.
Also provided is an infographic on firewall basics. Firewalls are your primary defense mechanism, and a small business can go a long way to protecting itself by using one. Presented are the minimal configurations desired in all firewalls. Those basic configuration requirements map back to, you guessed it, the PCI DSS.
I saved the best for last. A Data Security Essentials Evaluation Tool is provided on the website to help small merchants get some direction. As a small business merchant, you can input your current payment type. Then, a series of security principles come up and you can select how you have it implemented. The security principles are the same found in “Guide to Safe Payments.” The result of the evaluation is for small merchants to gain an understanding of security practices for payment security and your own firms’ readiness. Ultimately, you will need to work with your acquiring bank to complete a Data Security Essentials Evaluation. That evaluation will get you started on the path of compliance with the PCI DSS.
The security principles in the evaluation tool have their roots in the PCI DSS.
To be compliant, you will have to adhere to all the PCI DSS requirements. In closing, the thrust of the small business merchant guidance is more of getting your hands around how payments are made and started down the path of compliance. Beginning the compliance process can be intimidating. I know, I’ve been there. But small merchants should not feel like they are going it alone. The PCI SSC and your merchant acquirer bank are here to help.
____________________
Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.