The Payment Card Industry Standards Security Council (“PCI-SSC”) has promulgated a series of payment protection resources for small businesses (<250 employees) to help them avoid becoming victims of cyber attacks. The move follows revelations that small businesses are increasingly the targets of the world’s cybercrime. In the 2015 Government Security Breaches Survey by the British Standards Institute, almost three-quarters of small organizations reported some form of security breach, and that more than half of those (52.4 percent) involved “spear phishing,” fake emails that release devastating viruses into the recipient’s computer system.
The rise in these crimes is especially distressing to European companies. The European Union’s new General Data Protection Regulation comes into force in 2018, and it dramatically raises fines against insufficiently secured businesses, in some cases to as much as €20m (U.S. $22m) or 4 percent of their annual turnover. For small companies that don’t always allocate sufficient resources to protect their assets, the threats against their proprietary information, customer base and the bigger corporations with which they do business have never been greater.
PCI-SSC Guides Target Global Attackers
The Council accessed the resources of a cross-industry, globally-sited task force that had representatives from the banking, merchant, technology and services industries. Together, the panel crafted four guides that incorporate simple diagrams and common language to explain how to devise and implement appropriate protections against digital attacks.
This easy-to-read, 26-page manual describes the cost of cyber attacks to small businesses, including average annual losses experienced by the company and the potential consequential losses that threaten the entities with whom they do business. Many business owners don’t fully recognize how their inaction can cause financial losses anywhere downstream from their digital activities.
Another revealing section details the myriad of ways that cyber criminals can access any payment system. Across the globe, there are many different styles of payment-processing devices, each with a different title and accompanying jargon that is dependent on local usage. Regardless of local specifics, every such system has vulnerabilities that most global hackers can exploit.
For protection against invaders, this guide details 12 separate protective steps, ranging from easy and cheap to more complicated and expensive. It adds a “risk mitigation” indicator as well, to help business owners grasp how their security will improve based on the level of the risk-reduction element. Just the implementation of stronger passwords can enhance security as much as the substantial investment into high-security payment terminals and solutions.
Although 62 pages in length, this guide is separated into security practices for 14 different payment system configurations, so users only need to review those portions of the guide that pertain to their particular system. The systems themselves vary from dial-up terminals and electronic cash registers to encrypted, wireless, integrated payment terminals with middleware that process over the internet. By identifying which example best describes their system, merchants can then begin implementing the safety procedures recommended for that system.
The task force clearly defines how these systems are vulnerable to intrusions to illustrate the risks they pose to their owners and operators. The guide explains how thieves access the vulnerabilities and how merchants can close those gaps for better data security. The protections suggested start with simple steps, like inspecting terminals for damage or alterations. As the complexity of the system increases, defensive actions become more rigorous and significant. Improved, comprehensive communications with up and downline partners reduce the risk of being infected by intruders in those entities. Sometimes internal systems should also be modified in order to deter in-house criminals. Determining the level of protection needed depends on the size of the company, as well as the size of the digital community in which it operates.
As noted above, these days, there is no such thing as a “standalone” business. Any entity that has a presence in the cyber world has digital connections to other companies and potential criminals. Successful and secure enterprises recognize and respond to the threats posed to them by lapses in the security systems of their corporate partners.
This guide identifies six types of vendors from whom merchants source their payment systems parts and accessories. The list of potential vendors encompasses all aspects of the payment process, from the physical terminals that process cards to the programming that safely and securely collects private consumer data and transmits it to the financial services partner. The internet supports a variety of services that can occur within any one aspect of a vendor’s wares, and many of these service providers are subject to regional and jurisdictional requirements, too. Consequently, the guide is very helpful since it suggests questions to ask based on the products and services that make up the existing system. At the very least, a discussion should be had about the specific security features of any single system-incorporated aspect, and how those features work within the system as a whole.
The payment industry is a global affair, with participants doing business in every country in the world. A single language that instructs them all about improved digital security systems is imperative to ensure that every consumer who accesses the internet can have a modicum of confidence that their personal data will be safe from thieves. By creating this guide, the PCI-SSC establishes that language and thereby thwarts the intentions of at least some would-be cyber criminals.