GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Outside forces impinge on payments in 2011


Industry Update

California Lucky's unfortunate breach

Experts discuss the future of mobile payments

NRF sues Fed over Durbin regs


SMBs: Security must become serious

Bill Farmer
Mako Networks

An interview with Marc Abbey

Ken Musante
Eureka Payments LLC

Status report: U.S. economy Q3 2011

Selling Prepaid

Prepaid in brief

Will prepaid pivot with Green Dot's purchase?

'Smart' gifting gears up


Thinking outside the bank

Patti Murphy
ProScribes Inc.


Street SmartsSM:
EMV's time is nigh

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

QR codes - the new call to action

Stephen Enfield
POS Supply Solutions

Fraud trends 2012: Like 2011, only more so

Nicholas Cucci
Network Merchants Inc.

Crisis management as opportunity

Dale S. Laszig
Castles Technology Co. Ltd.

ISOs welcome in the POS waters

Jerry Cibley
United Bank Card Inc.

Parlay tradeshow costs into social media bonanza

Alan Kleinman
Meritus Payment Solutions

Company Profile


New Products

All-in-one payment platform

FrontStream Payments Inc.


Use your human gifts


10 Years ago in
The Green Sheet


Resource Guide



2012 Calendar of events

A Bigger Thing

The Green Sheet Online Edition

December 26, 2011  •  Issue 11:12:02

previous next

SMBs: Security must become serious

By Bill Farmer

Editor's Note: This article was originally published by Retail Times Nov. 2, 2011; updated version reprinted with permission. 2012 Mako Networks. All rights reserved.

It's been nearly a year since the second version of the Payment Card Industry (PCI) Data Security Standard (DSS) came into force, and small and medium-sized businesses (SMBs) still need to take action to step up compliance measures. Larger businesses, cognizant of the impact a data breach may have on trade and customer loyalty, have largely embarked on the PCI DSS journey to improve their overall security procedures.

This trend must filter further down the ranks into SMBs _ most of which remain unprepared, vulnerable to data breaches and unable to take the steps needed to meet the PCI DSS requirements.

The threat of data theft is ever present

It's been impossible to ignore the continually emerging headlines this year about corporate data breaches and lost customer data. But a number of these stories may actually be doing more to fuel apathy toward the PCI DSS among the SMB community.

On the surface, the spotlight is on big businesses - Level 1 merchants with deep pockets and rich deposits of customer data. In reality, however, lower level fraud crime is just as prevalent at smaller Level 2 through 4 merchants, and on the increase.

As more Level 1 merchants shore up their corporate networks and security, fraudsters are shifting their crosshairs to smaller businesses, the "soft targets."

For example, consider the recent arrest of a German engineer who modified payment terminals for criminal gangs targeting retail outlets across the United Kingdom. SMB crime is a very real and present threat for small businesses.

PCI applies equally to merchants large and small

Any business that stores, processes or transmits cardholder data must be compliant with the PCI DSS. Whether a retailer processes 100 or 100,000 transactions per month, PCI requirements apply equally to both.

Even if a breach has not yet taken place but a merchant is found to be noncompliant, there could be a number of implications depending on their contract, situation and relationship with the bank.

Alongside automatically deducted noncompliance fees, merchants can be forced to pay additional fines passed on from the credit card scheme holders via the bank. Noncompliant merchants often incur higher fees per-transaction and large monthly fees, increasing business overheads and siphoning revenue from their pockets.

While the PCI DSS is often overlooked, one area that is particularly troublesome is the requirement surrounding the storage of cardholder data. The standard outlines what elements of cardholder data may be stored, how it can be stored and what type of protections to apply to specific combinations of data.

Consequences of a breach can be catastrophic

It's often a misconception that this just applies to digital storage, but if a retailer writes down or stores card information on paper, then the PCI DSS applies, too.

This includes organizations that have recurring billing data on computers, credit card machines or readers and/or filed documents with credit card or bank numbers.

SMBs want to leverage technology in order to improve customer footfall and drive efficiency in their businesses. The near ubiquitous availability of broadband offers the potential to achieve this but throws up its own unique set of challenges in respect to the PCI DSS.

Smaller merchants need help; shoehorning enterprise solutions and using corporate language merely confuse the issue.

If the worst does happen and a retailer suffers a security breach where cardholder data is lost or stolen, then the resulting fines, forensic investigation cost and reputational damage can very easily put an SMB out of business.

Often the pillars of the community, SMBs provide convenience products and services essential to daily life. To be destroyed simply because of the implications of noncompliance could be devastating to both the business owner and the surrounding area.

SMBs need help with compliance

It's essential that retailers understand PCI DSS and receive the right support to ensure compliance. Now is the time to educate and prepare SMBs, ensuring these businesses are protected in the future.

The PCI Security Standards Council (PCI SSC) is currently evaluating a proposal for a Special Interest Group early next year to specifically examine the issues of SMBs and compliance with all PCI data security standards.

PCI SSC Participating Organizations were able to vote before Nov. 4, 2011, on the proposal, and if sufficient interest is shown, the PCI SSC may form a committee to more fully explore this important issue. It is my belief that this issue is a serious one, worthy of further exploration and debate.

I hope other Participating Organizations joined me in voting for the SMB Special Interest Group during the open voting period, as it was the first step toward solving this growing issue.

Bill Farmer is Chief Executive Officer of Mako Networks, an international cloud-based network management company headquartered in Auckland, New Zealand, that provides services and managed appliances to connect businesses to the Internet and protect them from the threats it contains. For more information about Mako, a Payment Card Industry Data Security Standard-certified business, please visit To contact Farmer, email

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

USAePay | Impact Paysystems | Electronic Merchant Systems | Inovio