While traditionally overshadowed by large merchants, small merchants – businesses like the corner bodega, the local hairdresser, and the food truck parked in the town square – remain ripe targets for cybercriminals.
Point of sale terminals, where sensitive Payment Card Industry Data Security Standard (PCI DSS) data is securely processed and transmitted, are consistently targeted in hacking campaigns. With the average cost of a data breach having risen this year, from $141 to $148 per lost or stolen record, having defenses in place to protect customer payment card data continues to be crucial for small merchants.
The PCI Security Standards Council, a Massachusetts-based consortium that oversees the PCI DSS set of standards, released a new tool on Tuesday to ensure small businesses are on the right path when it comes to protecting card data and cognizant of their security risks.
The Data Security Essentials Evaluation Tool, a series of questions on merchant payment card security, is meant to simplify the act of measuring a business's security posture.
The tool walks small merchants through multiple payment system diagrams and has them identify the payment system that's closest to their setup. From there it gives a comprehensive overview of the payment system, breaks down where card data is at risk, how cybercriminals can steal data, and recommended ways to protect data.
The tool is a solid primer for small businesses, especially those unfamiliar with the many ways cardholder data can be stolen. The tool guides companies through how threats like skimming equipment, payment card data stealing malware, and compromised POS terminals, can be used to exfiltrate data.
The tool is based on a resource recently retooled by the council, Version 2.0 of its Common Payment Systems guide, essentially a best practices guide on payment system types and the best ways to secure them. After a small merchant has concluded the evaluation they're encouraged to download an additional evaluation form that offers advice and instructions on encrypting card data, using secure payment terminals and solutions, and reducing risk in their environment.
While the council says any merchant can use the tool to see how their security practices stack up, there are some prerequisites that an organization should tick off before using it.
A merchant should ensure the tool is right for their organization by contacting the acquirer, or payment brand, to make sure they’re eligible to use the tool, namely to ensure they have the right completion and submission instructions. Acquirers should then work with merchants to complete the Data Security Essentials evaluation and work with the merchant on fulfilling recommended safeguards.
PCI SSC's tool comes on the heels of data security documentation for small merchants published by Visa in April earlier this year. Visa, citing research on the payment security landscape from January 2018 to March 2018, pointed out that small merchants have been targeted more frequently than other organizations and that trend suggest the number and impact of e-commerce compromises are increasing. Level 4 merchants consistently experience more breaches than large merchants, according to the financial services corporation. When it comes to PCI Compliance, Level 4 merchants are merchants who accept/process less than 20,000 Visa or MasterCard online transactions or up to 1 million transactions annually.
58 percent of breach victims from this year's Verizon Data Breach Investigations Report were categorized as small businesses. According to the report 90 percent of the breaches that hit the accomodation and food services industry stemmed from point of sale intrusions.
The release of the tool also comes a few weeks after researchers, presenting at the Black Hat security conference in Las Vegas, outlined vulnerabilities in mobile point of sale readers like Square, SumUp, PayPal and iZettle. While these devices had physical security mechanisms in place to thwart criminal activity some also contained vulnerabilities that attackers could theoretically exploit to carry out arbitrary commands and perform remote code execution.
Having a robust data protection solution deployed can also help organizations, small merchants and banks alike, protect financial data and achieve PCI/DSS compliance.
Credit card image via frankieleon's Flickr photostream, Creative Commons