PCI 3.0: Protecting Small Businesses & Their Customers

19 Sep

Small businesses make up nearly 90% of all businesses in the United States. Small businesses are also the most susceptible to payment information theft. They are prime targets for virtual thieves looking to steal customer credit and debit card information. The good news is there are standards out there to help businesses, banks, and card issuers ensure that customer information is secure. These are known as PCI Data Security Standards.

According to pcisecuritystandards.org the word “password” is still one of the most common passwords used today, and is common among merchants and business employees. This is troublesome for a number of reasons. First, it’s extremely easy to guess “password” and is often the first choice for brute force attackers. Second, it shows a lack of awareness of how a poor password choice can affect the security of a business and its customers. Credit and debit card usage at the point of sale is more prevalent now than ever before. Cash transactions are at an all time low. Many people use their payment cards multiple times a day at multiple locations. Do all of these retailers have the same security protocols? Do they all do their utmost to ensure that their customer’s information is kept safe? The answer is probably no. This is a troublesome realization. But what if they don’t know how to make sure their transaction methods are safe and secure? Is there something out there to educate? Luckily, PCI standards education is making it easier for small businesses (and all businesses for that matter) to keep payment information secure and build their customer’s trust.

What are PCI Data Security Standards? The PCI Security Standards Council is a global industry initiative and membership organization. It aims to educate and help implement payment security standards for businesses around the world with training courses, certification programs, and best practice guidelines. In short, it helps to create a standard for all payment transactions and their security.

The most recent version of these standards and best practices is PCI 3.0. It’s important to note that these standards apply to more than just the merchant itself. It applies to any entity for which a payment transaction goes through including the merchant, issuer, processors, acquirers, and any other entity that processes or transmits cardholder data. We have provided a very high-level outline of the standards here:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Protect all systems against malware and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need to know
  • Identify and authenticate access to system components
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security for all personnel

Of course, the entire description of recommended policies and procedures delves much deeper and is more specific. The full description of PCI DSS standards can be found here. It’s also important to note that these standards are not necessarily required for all merchants; however, most major card issuers and merchants do follow these practices. On that note, there is a difference between being compliant and being validated. Being validated by all entities is not mandatory, yet issuers such as Visa and Mastercard do require merchants and service providers to be validated by the PCI DSS. Furthermore, if merchants do encounter a breach and are audited and found to not be compliant (minimum level of PCI Standard) at the time that merchant is subject to additional fines or penalties.

While small businesses do make up the majority of businesses in the U.S. we can all feel a little safer knowing that there are standards and requirements out there to protect our personal payment data. Can we be 100% secure all the time? Maybe not, but it’s good to know what you can do, and what is out there, as a merchant and as a consumer to ensure that your customer information and personal information is protected from theft.