New tools for small, midsize merchants from PCI SSC

The PCI Security Standards Council (PCI SSC) launched a new set of resources July 7, 2016, specifically designed for small business owners. The global forum, based in Wakefield, Mass., best known for establishing the PCI Data Security Standard (PCI DSS), is also responsible for the developing, managing and broadening awareness of PCI DSS and payment data security best practices. To stem the growing tide of cyberattacks against small and midsize merchants, the council formed a Small Merchant Taskforce to identify vulnerabilities in small business payment systems and create targeted solutions to help business owners protect and secure cardholder data.

Some of the PCI DSS guidelines contain complex, technical terms and legalese that can be difficult for small merchants to comprehend. PCI Security Standards Council General Manager Stephen Orfei saw a need for clear guidelines written in accessible language with graphical displays to illustrate key points.

"The market has been in desperate need of easy-to-understand payment security resources for small businesses," he said. "Working with a global, cross-industry taskforce representing merchants, banks, merchant associations, technology and service providers, and other small merchant partners, we're pleased to provide practical guidance to small businesses on how they can start protecting themselves against cybercriminals."

"Most small businesses have never heard of the PCI Data Security Standard, let alone read it," added Troy Leach, PCI SSC Chief Technology Officer. "If they did read it they probably would need a background in both information security and payment processing to best understand the requirements."

Printed, online resources

The newly published Guide to Safe Payments can be found on the PCI SSC website; printed versions are also available. Banks and processors can download, brand and distribute the reference guide to their small business customers. The council has published additional insights, including Focusing on the Fundamentals: Payment Protection Resources for Small Businesses in their PCI Perspectives blog site.

Following are highlights of the small merchant series documentation:

• Diagrams: Leach stated that few companies are aware of how payment data flows from their business to financial partners. A set of simple diagrams illustrate how merchants, banks, payment processors and third party vendors work together to protect against payment data theft.

• Best practices: The document provides basic guidance on safe payment methods and security best practices. As Leach noted, "some of the most impactful changes a small business can make to protect themselves from a data breach are relatively simple steps."

• Key questions: Mechants can help with confirming system-wide compliance if they ask certain questions of their technology and service providers. "The materials also include basic guidance and some simple questions to ask a potential new supplier that can be quickly absorbed and acted upon, ideal for small businesses," said Small Merchant Taskforce Co-Chair Michael Christodoulides, who serves as Vice President Payment Security, Global Payment Acceptance, Barclaycard.

• Glossary: This reference resource lists technical terms with their definitions.

Taskforce co-chair David Matthews, General Counsel of the National Restaurant Association has seen considerable risk of data breaches among small restaurateurs. The new guidelines provide best practices and tools that can help small and midsize restaurants protect against cyberattacks, he said. "We specifically ask those working directly with the small business community to use these resources to educate companies on ways they can improve their security while simplifying their responsibility, so they can focus on other aspects of their business," he added.

A work in progress

The Small Merchant Taskforce plans to continually update and promote the small merchant payment protection resources, especially in the growing ecommerce sector, where additional tools and guidelines are needed, Leach stated. He pointed out that many small merchants rely on financial institutions, processors and third-party vendors for guidance on credit card processing; he urged these partners to include security in the dialog.

Leach also noted that education is a critical first step in protecting small businesses from data breaches. For example, many small merchants don't understand the importance of changing vendor default passwords, or how to change them. "As an industry, if we can help these companies understand their risk, security basics to protect against data theft, and where to go for help, we'll have made a substantial shift in cardholder data security for the entire payments ecosystem," he said.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.