The Green Sheet Online Edition
December 26, 2011 • Issue 11:12:02
SMBs: Security must become serious
Editor's Note: This article was originally published by Retail Times Nov. 2, 2011; updated version reprinted with permission. © 2012 Mako Networks. All rights reserved.
It's been nearly a year since the second version of the Payment Card Industry (PCI) Data Security Standard (DSS) came into force, and small and medium-sized businesses (SMBs) still need to take action to step up compliance measures. Larger businesses, cognizant of the impact a data breach may have on trade and customer loyalty, have largely embarked on the PCI DSS journey to improve their overall security procedures.
This trend must filter further down the ranks into SMBs _ most of which remain unprepared, vulnerable to data breaches and unable to take the steps needed to meet the PCI DSS requirements.
The threat of data theft is ever present
It's been impossible to ignore the continually emerging headlines this year about corporate data breaches and lost customer data. But a number of these stories may actually be doing more to fuel apathy toward the PCI DSS among the SMB community.
On the surface, the spotlight is on big businesses - Level 1 merchants with deep pockets and rich deposits of customer data. In reality, however, lower level fraud crime is just as prevalent at smaller Level 2 through 4 merchants, and on the increase.
As more Level 1 merchants shore up their corporate networks and security, fraudsters are shifting their crosshairs to smaller businesses, the "soft targets."
For example, consider the recent arrest of a German engineer who modified payment terminals for criminal gangs targeting retail outlets across the United Kingdom. SMB crime is a very real and present threat for small businesses.
PCI applies equally to merchants large and small
Any business that stores, processes or transmits cardholder data must be compliant with the PCI DSS. Whether a retailer processes 100 or 100,000 transactions per month, PCI requirements apply equally to both.
Even if a breach has not yet taken place but a merchant is found to be noncompliant, there could be a number of implications depending on their contract, situation and relationship with the bank.
Alongside automatically deducted noncompliance fees, merchants can be forced to pay additional fines passed on from the credit card scheme holders via the bank. Noncompliant merchants often incur higher fees per-transaction and large monthly fees, increasing business overheads and siphoning revenue from their pockets.
While the PCI DSS is often overlooked, one area that is particularly troublesome is the requirement surrounding the storage of cardholder data. The standard outlines what elements of cardholder data may be stored, how it can be stored and what type of protections to apply to specific combinations of data.
Consequences of a breach can be catastrophic
It's often a misconception that this just applies to digital storage, but if a retailer writes down or stores card information on paper, then the PCI DSS applies, too.
This includes organizations that have recurring billing data on computers, credit card machines or readers and/or filed documents with credit card or bank numbers.
SMBs want to leverage technology in order to improve customer footfall and drive efficiency in their businesses. The near ubiquitous availability of broadband offers the potential to achieve this but throws up its own unique set of challenges in respect to the PCI DSS.
Smaller merchants need help; shoehorning enterprise solutions and using corporate language merely confuse the issue.
If the worst does happen and a retailer suffers a security breach where cardholder data is lost or stolen, then the resulting fines, forensic investigation cost and reputational damage can very easily put an SMB out of business.
Often the pillars of the community, SMBs provide convenience products and services essential to daily life. To be destroyed simply because of the implications of noncompliance could be devastating to both the business owner and the surrounding area.
SMBs need help with compliance
It's essential that retailers understand PCI DSS and receive the right support to ensure compliance. Now is the time to educate and prepare SMBs, ensuring these businesses are protected in the future.
The PCI Security Standards Council (PCI SSC) is currently evaluating a proposal for a Special Interest Group early next year to specifically examine the issues of SMBs and compliance with all PCI data security standards.
PCI SSC Participating Organizations were able to vote before Nov. 4, 2011, on the proposal, and if sufficient interest is shown, the PCI SSC may form a committee to more fully explore this important issue. It is my belief that this issue is a serious one, worthy of further exploration and debate.
I hope other Participating Organizations joined me in voting for the SMB Special Interest Group during the open voting period, as it was the first step toward solving this growing issue.
Bill Farmer is Chief Executive Officer of Mako Networks, an international cloud-based network management company headquartered in Auckland, New Zealand, that provides services and managed appliances to connect businesses to the Internet and protect them from the threats it contains. For more information about Mako, a Payment Card Industry Data Security Standard-certified business, please visit www.makonetworks.com. To contact Farmer, email firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.