Cyber criminals are shifting their focus to target smaller businesses that accept credit card payments, which means your business could be next. With 60% of small businesses going under within 6 months of being breached, the cyber security and PCI compliance of your business should be one of your top priorities. After reading this article you will know:
- Why Cyber Security Is Important for Your Small Business.
- How to Protect your Business from Cyber Threats When Processing Credit Cards.
- What to do if you suspect you have been hacked.
Table of Contents
Why Cyber Security is Important for Your Small Business
- Cybercriminals are now targeting smaller businesses in greater numbers where security is weaker.
- 60% of small businesses that suffer a data breach are out of business 6 months later
- A recent survey by Fortinet found nearly two-thirds of consumers held merchants responsible for data breaches.
To help understand these issues we spoke with Simon Gamble, small-business cyber security expert and president of Mako Networks’ U.S. branch.
A Basic Overview
Simon began our conversation with three comments:
- Any small business that accepts credit cards is a potential target for a cyber security breach.
- Small businesses are held to the same level of credit card security standards (discussed later in this article) as large businesses such as Target or Home Depot.
- Any small business that suffers a cyber security breach and is found to be non-compliant to credit card security standards, is fully liable for charges related to the breach.
You Could Be a Target
If you are a small business who accepts credit cards, then you are vulnerable to a cyber attack. Cyber attackers are targeting small businesses more and more, because their networks are easier to hack and they are not as regularly checked for compliance to credit card security standards.
If you are underprotected, a hacker can now inject malware onto your payment terminal from anywhere in the world and access your customers’ information.
PCI Compliance (Credit Card Security Standards)
If you accept credit cards, then you have agreed to abide by The Payment Card Industry Data Security Standard (PCI DSS), whether you know it or not. The PCI DSS is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
Security Breaches, Liability, and Other Consequences
If your small business is suspected of a security breach, PCI DSS inspectors come in and try to determine if there is a breach and how it occurred. This process in and of itself can be crippling for a small business, shutting down operations for a minimum of several days and costing between $8,000 – $20,000 in inspection fees.
If your business is found to be non-compliant, then you are potentially held liable for even more charges:
- Data Security Fine – Up to $500,000 fine per security breach incident.
- Non-Compliance Fines – Up to $50,000 per day for non-compliance with published standards.
- Card Replacement Fees – $3-$10 per card x total number of cards compromised.
- Refund Fees – Potentially held liable for all fraud losses incurred from compromised account numbers.
If breached, your business not only risks a severe monetary penalty, you also risk losing the trust of your customers, as mentioned in the statistics above. Often, the loss of customers is the final blow that finishes off an already compromised small business.
How To Be PCI DSS Compliant and Protect your Business from Cyber Threats
The key is to make sure your business is PCI DSS compliant. Why? First, PCI compliant businesses rarely, if ever, have been successfully hacked. Second, if your business is sucessfully hacked, you are not liable for any fines or charges (except possibly audit fees).
Here’s how to make your business PCI DSS compliant.
Know the Requirements for PCI DSS Compliance
You need to know what you have signed up for and what is required for your business to be compliant. If you don’t, you won’t know what steps you need to take in order to secure your business.
PCI Compliance Is More Than Transaction Compliance
There are two main types of PCI compliance, environment (network) and transactional. Many businesses purchase a PCI DSS compliant POS system and think that they are compliant. In reality, this kind of compliance relates only to credit card transactions and not to your business environment/network, which must also be PCI compliant. The network environment in which your POS equipment resides is just as important as your transaction system.
A detailed list of all compliance areas can be found at PCI’s Quick Reference Guide. PCI’s quick and dirty list is as follows:
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart. Click here to see a list on their website.
- Do not store any sensitive cardholder data in computers, receipt printers, or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords (a mix of upper and lower-case letters, numbers and special characters). Be sure to change default passwords on hardware and software – most are unsafe!
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI standard. See below.
- Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
- Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.
Take The Necessary PCI Compliance Steps
There are two main ways to make your business more secure and PCI DSS compliant
- Hire a PCI DSS Qualified Security Assessor (QSA)
Hiring a PCI DSS QSA
PCI SSC certified QSA’s are organizations who have been qualified by the PCI Council to assess compliance to PCI DSS standards. QSA’s perform data security assessments, make recommendations, and provide certification. Hiring a QSA will save you the time it would take to do the research yourself and will also give you peace of mind that the job was done right.
The big downside to hiring a QSA, is cost. You have to pay the QSA fees, which are generally quite expensive. One quote I checked on, charged a base $5,000 fee plus $200 for every hour. On top of that, you have to pay for the equipment/software to fix whatever problems the QSA finds, which is also costly.
Figuring out PCI DSS compliance for yourself can seem a daunting task. However, just because you’re not hiring a QSA does not mean it cannot be done or that you have to do it without help.
Here is how to do it
- Educate Yourself
- Secure your Payment Network
- Use a Security Software that Tests for Vulnerabilities
- Fill out and turn in your PCI DSS Self-Assessment Questionnaire
This has already been generally addressed above. Here is the link again for the quick reference PCI DSS compliance guide. Although it is a bit rough to get through, it is only 33 pages and is important to read if you plan on monitoring PCI DSS compliance for yourself.
Secure your Payment Network
Simon recommended 3 main action steps every small business can take to make their network more secure and compliant.
1. Install a Proper Firewall
A proper firewall protects hackers from stealing information from your business.
We recommend Mako Networks, which offers a secure and PCI DSS compliant payment network, complete with firewall, starting at around $80/month. Check out their distributor list to find a reseller near you.
2. Have a separate network for payment services
Separating your payment network from your other business networks means hackers cannot access sensitive card data from anywhere in your general business network. Instead, they have to hack your payment network specifically, which with the proper firewall in place will make their task much more difficult.
3. Change Usernames and Passwords every 90 days or so on all access points
Make sure you change default usernames and passwords as soon as you can, because they are rarely secure. Then, change usernames and passwords every 90 days. Most network providers have their own how-to document available detailing how to do this. Here is a general guide to changing your wireless network password.
Use a Security Software that Tests for Vulnerabilities
There are various software options available that test your network and payment terminals for breach vulnerability and PCI security compliance. Check with your payment processor first, some offer free PCI DSS testing software as part of their package.
If you do not already have access to a PCI Security Software, we recommend ControlScan Inc’s PCI 1-2-3. This software gives the small business owner real-time access to the most up-to-date PCI compliance rules. It also conducts vulnerability scans, providing reports and detailed instructions to secure any weak areas. Cyber security training for employees is also included. PCI 1-2-3 costs $250/yr plus an additional $100 per extra IP address.
Fill Out Your PCI DSS Self-Assessment Sheet
To be PCI compliant, small businesses are required to fill out an annual PCI DSS Self-Assessment sheet. This sheet is a do-it-yourself checklist to determine compliance. Instructions and the link to complete this self-assessment questionnaire can be found on PCI’s self assessment forms page.
What to Do if You Suspect You Have Been Breached
If your computers are unusually slow, one has been tampered with, or you are locked out of various accounts for no reason, it is possible you have been breached. A more comprehensive guide to determining and dealing with a possible breach is available on Visa’s website.
If you suspect a breach, here is what you need to do.
- Report the Breach to Your Payment Processor/Merchant Bank
- Check State Disclosure Regulations and Alert Local Law Enforcement
- Comply Fully with any PCI DSS Audit
Report the Breach to Your Payment Processor/Merchant Bank
If you suspect a breach, contact your payment processor or merchant bank and let them know that a possible security breach has been detected. They will then go over protocol and determine what should be done.
Check State Disclosure Regulations and Alert Local Law Enforcement
Check your state’s regulations to see who you are supposed to inform. In most cases, you must let customers know that there has been a possible security breach, usually in writing.
Generally, you also should alert your local law enforcement agency. Check with your legal advisor and/or your payment processor to be sure.
Comply Fully with any PCI DSS Audit
Your payment processor or their bank normally initiates a PCI DSS Audit. If you are notified of an upcoming audit, gather all of your information related to PCI Compliance an have it ready for the inspectors when they arrive. You want the audit team to be assured that you are on-board for full-cooperation. This will make the process much smoother, getting your business back up and running as quick as possible. Full-compliance also communicates that you have nothing to hide.
The audit team comes in and checks to see if, how, and where a security breach has occurred. They also determine whether or not your business was in-fact compliant with PCI DSS requirements. You will probably have to pay the audit fees. But, if you do meet PCI DSS requirements, you are not responsible for any fines, credit card replacement fees, or fraud refunds.
The cyber security and PCI DSS compliance status of your small business is an important issue. If you follow this guide and take the necessary steps, your business will be more secure than many other small businesses out there and will be prepared should a cyber attack actually take place.
Want to Reduce Retail Theft and Better Manage Your Inventory? Click Here to find out how.