Stolen personal data is big money for criminals and bad news for small businesses.
Whether it’s credit card details, National Insurance numbers or account passwords, our personal information commands soaring prices.
As hackers become more adept at prising data from businesses, the pressure is mounting on Small to Medium Enterprises (SMEs) to tighten their data security procedures as we truly move into the digital age of modern commerce.
A major step in the right direction is to secure credit card data and comply with the Payment Card Industry Data Security Standard (PCI DSS). Effort expended on PCI compliance assists in protecting all other business data.
Most SMEs are focused on maintaining sales and meeting budgetary restraints, leaving little time (or even desire) to tackle digital security and the complicated task of PCI compliance.
Unfortunately, this reaction to economic pressures is leaving businesses seriously exposed to the risk of data breaches. Every week, our company’s security appliances block thousands of intrusion attempts at SMEs across the UK, providing fresh evidence that hacking is a very real problem for this sector.
Given the significant resources required from businesses large and small to attain PCI compliance, prioritising and ensuring security has not been an option. Merchants need comprehensive and intelligent advice on how to keep their business’ and customers’ data safe from criminals. Calls for a single end-to-end PCI solution for small site compliance are becoming increasingly desperate.
The $64,000 question is: ‘Are technology vendors brave enough to collaborate for the good of the SME sector and find a solution?’
PCI DSS compliance: what’s it all about?
In 2004, the five major credit card companies (Visa, MasterCard, American Express, Discover and JCB) came together to create the PCI DSS and help businesses of all sizes combat credit card fraud.
The PCI DSS is an established set of Best Practice security obligations that companies who handle cardholder information for the major credit, debit, prepaid, ATM, POS and e-purse cards must meet.
This means the PCI DSS applies to any business that stores, processes or transmits cardholder data (including merchants and service providers). On 26 October 2010, the PCI Security Standards Council (SSC) launched the latest version of the standard, namely PCI DSS 2.0. As of 1 January this year, all annual PCI assessments must now also be carried out against the 2.0 requirements.
In Verizon’s ‘Initial Report on Compliance’ (IROC, 2011), only 21% of organisations were found to be fully compliant with the PCI standards at the time of their audit, and it’s smaller merchants that have been hit the hardest financially by fraud.
Security solutions provider Trustwave also found that around 90% of incidents where card data was compromised occurred in Level 4 merchant environments (those that accept less than 20,000 card transactions per year), in turn demonstrating how vulnerable the SME sector remains.
Smaller businesses sometimes wrongly presume that security breaches are only a concern for larger retailers. However, professional criminals know smaller retailers that process card present transactions are likely easier targets and, unfortunately, it’s SMEs who often find the loss of customer trust after a breach all the more crippling.
Often, SMEs are also in a less robust financial position to absorb the costs of mandatory forensic investigations and bounce back from a security breach.
Simplifying the PCI compliance process
Simplifying the PCI compliance process can fast-track the journey to security for a large proportion of vulnerable businesses. Such security is essential as businesses adopt more modern technology to streamline operations and speed up card transaction times, for example, by installing broadband Internet connections for payment terminals.
To simplify security still further, SMEs would benefit from an intelligent Internet portal that could provide accurate information about their network status and automatically populate the Self-Assessment Questionnaire (SAQ) that small merchants are required to complete each year to attest PCI DSS compliance.
This information should be shared in a compliant manner among trusted parties, such as acquiring banks, which are also obligated to manage and report risk.
So far, the discussion has mainly focused on PCI DSS compliance as there will be a large number of merchants adversely affected by non-compliance in the event of a data breach, but of equal – or greater – concern is the forthcoming European Data Protection Act in 2014, which could lead to legal action against merchants unable to safely guard personal data.
Under the new regulation, suppliers will be held responsible for the breaches they cause, just like their customers. If cardholder information is shared with service providers, businesses should maintain and implement policies and procedures to manage them. This means all businesses have to consider whether their suppliers are putting them at risk of non-compliance.
Outsourcing payment services may seem the best option for merchants. That said, they have to really be sure their partner is constantly up to speed with evolving data security requirements. Certifying PCI DSS compliance also assists with mitigating this risk.
PCI myths that trick the merchants
- Myth One: Retailers can achieve compliance using a single vendor or product
Many services or software suppliers claim to ensure PCI compliance, but this may cover just one narrow aspect of the total PCI requirements. All 12 PCI DSS criteria have to be accounted for in order to achieve total compliance.
- Myth Two: Outsourcing card processing makes the retailer compliant
While an outsourced payment processing partner may well be PCI DSS complaint, this is just one aspect of the whole environment that’s subject to compliance auditing.
Onsite equipment and data storage all need to be monitored as part of the compliance process to ensure absolute security.
The vendor community also needs to be more aware of the messages they convey to retailers. Claims that solutions can make a retailer fully compliant can be misleading because it’s impossible for a technical system to deal with every single aspect of compliance.
- Myth Three: Compliance is a one-off IT project
The issues of compliance reach into every department of a business. It’s not just about making sure networks have firewalls and computers have passwords (although these are important). It can also affect staff procedures and physical security, like locking the door.
Compliance is something that should be monitored and updated continuously to ensure the business is always protected.
- Myth Four: PCI compliance is overly complicated
Employing service providers with good security credentials will make compliance easier for merchants. The constantly evolving nature of fraud makes compliance complicated so passing it on to an expert facility for protection is often the simplest way.
According to the PCI Security Standards Council, in 2010 there was more than euro 417.5 million in UK card fraud – exceeding euro 1 million per day. Under Visa’s current enforcement scheme, a non-compliant merchant could expect to be fined a one-off payment of GB pound 10,000.
Continued non-compliance is likely to incur fines of GB pound 5,000- GB pound 15,000 per month.
Merchants are also subject to forensic investigations to establish the cause of every data breach, and card schemes can charge for these costs. According to Visa, the average cost of a card data breach totals GB pound 7.8 million.
SMEs are more vulnerable to breaches because of a lack of education about PCI compliance. Many are putting their reputation at stake, and risk financial damages from fines and fees no matter whether or not a breach actually occurs.
Merchants need an end-to-end solution that will make compliance issues simple and manageable.
Closing the PCI loop (together)
Working with third parties may be the answer to simplifying compliance, but it’s not always the easiest relationship to manage.
SMEs who need to outsource payments and network management are confronted with the ongoing task of ensuring the vendors they use are PCI compliant.
Competing vendors in the same sector can develop solutions in isolation without fully understanding the larger service they are providing or problem they are solving. The payments industry is particularly guilty of this.
New expectations and security requirements around PCI DSS are regularly implemented, yet no single organisation currently has the full capability to deliver this much-needed end-to-end solution. Collaboration between vendors is needed now to offer the best possible system for combating data theft and fraud. If PCI vendors join forces to close the PCI ‘loop’, not only would security provisions be better but they’d also be easier to manage.
Many parties involved in the PCI process, such as Qualified Security Assessors, acquirers and processors must appear unbiased, so providing recommendations and clear advice to merchants can prove difficult. To improve education, communication channels between merchants and vendors must be clearer.
Partnerships between vendors and merchants
A recent White Paper from Mako Networks strongly suggests that there’s room for improvement surrounding the understanding of PCI DSS and the partnerships between vendors and merchants.
The organisations we interviewed for this report are keen to accelerate greater partnership and agreed an ideal PCI world would see a global list of PCI-certified vendors that retailers could reference.
To make life even easier for merchants, a single aggregator could co-ordinate all the approved vendors to ensure that compliance is met. Collaborative practices need to become widespread.
Hopefully, in the future we’ll be looking at a very different security landscape that prevents criminals having the upper hand over merchants.
Bill Farmer is CEO at Mako Networks
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
