Your Voice for SMB Compliance Pains

    John Christly

    January 13, 2017

    As a small- to medium-size business (SMB) owner, you know how important a smooth, uninterrupted transaction process is to your bottom-line. To ensure this smooth process, you have network security in place that includes mandated Payment Card Industry Data Security Standard (PCI DSS) compliance activities that happen to land within your responsibility. Should you not comply with PCI DSS, and a breach occurs, the fines and penalties can be quite costly, not to mention brand and business reputation damage. PCI DSS is necessary, but quite cumbersome for an SMB to maintain.

    We believe that every business should have the means to protect themselves and their customers from cyberattacks, and the PCI Security Standards Council (PCI SCC) shares this belief. We’re working together to make compliance management more efficient, and therefore, strengthen the security of all merchants.

    Are you a small merchant that needs compliance help? Take a look at the following PCI-relevant questions. Though this list is far from complete, if you answer no to any of these, we can guarantee you are not meeting the PCI requirements and could use assistance.
    • Have you installed and maintained a firewall configuration to protect cardholder data?
    • Do you frequently use and update anti-virus software?
    • Have you assigned a unique ID to each person with computer access?
    • Do you restrict physical access to cardholder data?
    • Do you track and monitor all access to network resources and cardholder data and regularly test security systems and processes?
    As small merchants and Netsurion customers know, PCI DSS ensures that all companies that process, store or transmit credit card information maintain a secure environment. Complying with the standard means a company’s systems are secure, and perhaps most importantly, that customers can trust that brand when they hand over their sensitive payment card data.

    Small businesses, however, often operate remotely with minimal IT budgets and internal resources. They often cannot fortify their payment systems on their own—let alone keep track of their PCI compliance statuses. Lengthy self-assessment questionnaires and multiple cybersecurity layers that need to be put in place to remain compliant can lead to confusion and frustration.

    Luckily, the PCI SSC Small Merchant Task Force exists as a dedicated global effort to help improve payment data security for small businesses. Co-chaired by Barclaycard and the National Restaurant Association (NRA), the task force collaborates on guidance and resources that simplify data security and PCI Data Security Standard (PCI DSS) compliance for some of the most vulnerable businesses preyed upon by cybercriminals.

    This task force relies on the vast knowledge of its members to provide:
    1. Best practice recommendations on what is needed to protect the payment environment, including working with security assessors, vendors, and service providers
    2. Easy-to-understand content and resources unique to small business needs that will help them take advantage of PCI best practices, standards, training programs, and solutions
    3. Ongoing input to the council on current trends, issues, and concerns for small merchants
    PCI DSS applies to all organizations or merchants that accept, transmit, or store cardholder data, regardless of size or number of transactions. This means that even small restaurants, retailers, hotels, and doctors’ and lawyers’ offices all need to stay on top of their compliance statuses. SMB retailers vary from small operations with one or a few locations, to larger entities with many edge locations, such as franchises or branch offices. The dispersed nature of their businesses can create security gaps and challenges, leaving them vulnerable to data breaches.
     
    2016 Verizon Data Breach Report
    Image from Verizon

    Reputational damage and revenue loss from breach news going public impact the individual edge locations, as well as the corporate brand on a national or even global scale. According to the 2016 Verizon Data Breach Investigations Report, “remote attacks against the environments where card-present retail transactions are conducted” resulted in 534 total breach incidents, of which 525 had confirmed data disclosure. Clearly, more needs to be done to improve security at each and every location under the brand umbrella.

    My colleague Mark Cline and I were just appointed to this special task group. We will focus our efforts on serving as your voice, to help make compliance more achievable and understandable for SMBs across the globe.

    More than 25 years of experience in IT and cybersecurity has enabled me to gain a deep understanding about what small merchants need to ensure their data is secure—as well as industry regulations including PCI DSS, HIPAA, HITECH and more. Right now, I lead cybersecurity and compliance efforts for Netsurion and EventTracker, providing support to our in-house corporate teams, customers, and partners. This gives my team consistent, in depth insights into small merchant compliance pains and needs.

    Mark is our Vice President of Sales and has been working in cybersecurity and compliance since 2005 with an early stage security startup in Atlanta, GA. Mark has worked with thousands of small-and-medium size merchants to help understand and navigate compliance requirements as well as supporting fortune 500 companies with high level cybersecurity and consulting engagements. Mark has also led functions for a security consulting firm specializing in, PCI, HIPAA, FISMA, FedRAMP, SOC compliance audits, penetration testing, social engineering, and vulnerability scanning.

    All businesses, even small merchants, need to be able to quickly detect and prevent threats from causing massive damage to their networks and systems, by monitoring and protecting all of their endpoints. One of the most important things to note is that a managed firewall is essential but no longer a significant enough barrier on its own when it comes to today’s evolving threat landscape. Risk mitigation has become crucial, including monitoring outbound traffic for exfiltrating data.

    SIEM Image of Netsurion SIEM-at-the-Edge

    We are extremely honored to be members of the task force, so we can use our industry expertise and information gathered at Netsurion and EventTracker to help shape the PCI standard for the better.

    Visit our solutions pages to learn how we can help you manage your PCI compliance. For more information on the PCI SSC Small Merchant Task Force, please visit https://www.pcisecuritystandards.org/pci_security/small_merchant.

  • Serving up Security: What Restaurants Need to Know about Breach Risks and Prevention

    December 14, 2016
    Sure, the headlines have been wrought with healthcare ransomware stories, election-centric email breaches, and massive retail hacks—but restaurants are becoming more vulnerable to data breaches as well and cannot remain complacent.

    Read More
  • Demystifying PCI Compliance

    August 30, 2016
    PCI compliance: that daunting phrase you always hear in the world of payments…but never truly understand. Well we’re here to sum it up for you—what it is, why it’s important and what you need to meet this standard.
     

    Read More
  • No Business is Too Small for Hackers!

    May 02, 2016
    It's National Small Business Week! Let's celebrate the hard work you do and make sure your business continues to grow. Have you ever thought about what would happen if your business is affected by a data breach? 

    Read More
  • Comments
    Blog post currently doesn't have any comments.