Nearly half of all data breaches are aimed at small businesses and occur through the acceptance of credit cards. Last year we posted a blog on this topic and want to update it in light of the Verizon 2018 Payment Security Report (you have to give your name, email, and company in order to download it); here’s an executive summary of the report. Some of what follows is a repeat of the prior blog which, from the Verizon report, was not taken too seriously by many businesses.
Trends in payment security
The Payment Card Industry Data Security Standard (PCI DSS) helps businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data. The Verizon report found that for the first time in 6 years, payment security compliance was down. In 2018, only half (49%) of organizations worldwide are leveraging PCI DSS compliance efforts to meet other security requirements.
All organizations, including payment service providers, merchant processors, online merchants, and face-to-face merchants, that store, process, or transmit payment card data are mandated by VISA, MasterCard, Discover, American Express, and other payment brands to comply with PCI DSS Standards. These are standards created by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa.
There are 12 key requirements to being secure (some are technical while others are basic business practices):
|Goals||PCI DSS Requirements|
|Build and maintain a secure network and systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect cardholder data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a vulnerability management program||5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement strong access control measures||7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security system and processes
|Maintain and information security policy||12. Maintain a policy that addresses information security for all personnel.|
Source: PCI Security Council
How to become compliant
According to the Verizon report, only 40% measure their PCI compliance annually for compliance validation purposes. Less than a quarter (19%) measure and report their PCI DSS compliance monthly. If you are concerned about payment card security for your business, review your current security measures.
- Understand the 9 factors of control effectiveness and sustainability. These factors were developed by Verizon to help meet the 12 key requirements discussed earlier:
- Control environment
- Control design
- Control risk
- Control robustness
- Control resilience
- Control lifecycle management
- Performance management
- Maturity measurement
- Do a self-assessment of your cardholder data using PCI’s Self-Assessment Questionnaire.
- Talk with your IT person. Hopefully, the person is versed in PCI DSS. If not, they should be able to refer you to someone who is. As an aside, my IT person told me that it’s easier for small businesses to be compliant because the tech stuff is easy to handle and the non-tech stuff (e.g., limiting personnel who can access computers) is better controlled in small companies.
- Work with your credit card processor. Your bank or other credit card processor is your active partner on PSI DSS compliance, and should be an excellent resource to assist you in becoming and maintaining compliance.
- Work with a national PCI DSS expert. Once this expert certifies that you’re compliant, the costs of dealing with a data breach will be far less than if you were noncompliant.
Consider carrying cyber liability coverage for protection, but be sure to check whether data breaches are explicitly covered. Learn about PSI DSS compliance with this helpful guide.