Bill Farmer, CEO of network security specialist, Mako Networks, on the challenges smaller businesses face to become PCI DSS compliant
It’s been nearly a year since the second version of the Payment Card Industry Data Security Standards (PCI DSS) came into force and Small and Medium Businesses (SMBs) still need to take action to step up compliance measures.
Larger businesses, cognisant of the impact a data breach may have on trade and customer loyalty, have largely embarked on the PCI DSS journey to improve their overall security procedures. This trend must filter further down the ranks into SMBs – most of which remain unprepared, vulnerable to data breaches, and unable to take the steps needed to meet the PCI DSS.
It’s been impossible to ignore the continually emerging headlines this year about corporate data breaches and lost customer data. But a number of these stories may actually be doing more to fuel apathy toward the PCI DSS amongst the SMB community.
On the surface the spotlight is on big businesses – Level 1 merchants with deep pockets and rich deposits of customer data. In reality, however, lower level fraud crime is just as prevalent at smaller Level 2 through 4 merchants, and on the increase. As more Level 1 merchants shore up their corporate networks and security, fraudsters have shifted their crosshairs to smaller businesses, the ‘soft targets’. For example, consider the recent arrest of German engineer who modified payment terminals for criminal gangs targeting retail outlets across the UK. SMB crime is a very real and present threat for small businesses.
Any business that stores, processes or transmits cardholder data must be compliant with the PCI DSS. Whether a retailer processes 100 or 100,000 transactions per month, PCI requirements apply equally to both. Even if a breach has not yet taken place but a merchant is found to be non-compliant, there could be a number of implications depending on their contract, situation and relationship with the bank. Alongside automatically deducted noncompliance fees, merchants can be forced to pay additional fines passed on from the credit card scheme holders via the bank. Non-compliant merchants often incur higher fees per-transaction and large monthly fees, increasing business overheads and siphoning revenue from their pockets.
Whilst the PCI DSS are often overlooked, one area that is particularly troublesome is the requirement surrounding the storage of cardholder data. The standard outlines what elements of cardholder data may be stored, how it can be stored and what type of protections to apply to specific combinations of data. It’s often a misconception this just applies to digital storage, but if a retailer writes down or stores card information on paper, then the PCI DSS applies too. This includes organisations that have recurring billing data on computers, credit card machines or readers and/or filed documents with credit card or bank numbers.
SMBs want to leverage technology in order to improve customer footfall and drive efficiency in their businesses. The near ubiquitous availability of broadband offers the potential to achieve this but throws up its own unique set of challenges in respect to the PCI DSS. Smaller merchants need help; shoehorning enterprise solutions and using corporate language merely confuse the issue.
If the worst does happen and a retailer suffers a security breach where cardholder data is lost or stolen, then the resulting fines, forensic investigation cost and reputational damage can very easily put an SMB out of business. Often the pillars of the community, SMBs provide convenience products and services essential to daily life. To be destroyed simply because of the implications of noncompliance could be devastating to both the business owner and the surrounding area.
It’s essential retailers understand PCI DSS and receive the right support to ensure compliance. Now is the time to educate and prepare SMBs, ensuring these businesses are protected in the future.
The Payment Card Industry Security Standards Council (PCI SSC) is currently evaluating a proposal for a Special Interest Group early next year to specifically examine the issues of SMBs and compliance with the Data Security Standards. PCI SSC Participating Organisations may vote before 4 November 2011 on the proposal, and if sufficient interest is registered, the PCI SSC may form a committee to more fully explore this important issue. It is my belief this issue is a serious one, worthy of further exploration and debate.
I would urge other Participating Organisations to join me in voting for the SMB Special Interest Group during this open voting period, and take the first step toward solving this growing issue.