PCI compliance standards can be a huge pain. We know. And helping your merchants stay PCI compliant can seem like a thankless job. The standards are always changing because they have to evolve as quickly as hackers if they’re going to protect merchants, especially “Mom and Pop” ones. So although keeping your small business merchants PCI compliant might take more effort, in the long run, you’ll thank yourself. With clear communication and some extra precaution, you can help all your merchants stay on board with PCI compliance standards and keep their data secure. In return for your care and concern for the wellbeing of their business, you could also earn their lifelong loyalty.
What to say when your merchant exclaims “why are the PCI compliance standards always changing?!”
Ask any average joe and they will easily agree that credit card payments have improved dramatically since the first point-of-sale (POS) terminal was introduced. In the past 10 years alone, the payments industry has grown exponentially and we’ve witnessed several new forms of payments and technologies created to meet the ever-changing demands and preferences of cardholders such as e-commerce, mobile payments, and donate buttons, to name just a few. While these advancements provide new ways to conduct commerce, they also introduce new security challenges.
As an ISO, one of your roles is to help merchants understand and incorporate PCI compliance standards in their businesses. It may seem to merchants, and even ISOs, that PCI compliance standards don’t really go beyond self-assessment questionnaires (SAQs). But because of this common notion, we’re discovering more and more ways that merchants are falling behind on data security.
Small-to-Medium Sized Businesses are a Prime Target for Hackers
It’s important to consider that the PCI Security Standards Council has placed a greater focus on Level 4 merchants*, which are small-to-medium sized businesses. The reason is that the majority of Level 4 merchants are using POS terminals that are connected to the Internet. The risk of breaches occurring with these terminals is far greater than a dial-based terminal. It’s common for POS systems to be installed with default settings for passwords and other items, making them easy targets for hackers.
According to the PCI Security Standards Council, more than 80% of data breaches involve small merchants. We’ve heard many reports of small business owners who will just take what they get from terminal vendors without checking their security options, or follow a basic security protocol without knowing how to incorporate PCI compliance standards. If they aren’t invested in the process or they don’t understand how to become PCI compliant, they unintentionally leave themselves open to all kinds of viral hacks and attacks. The same merchants likely take a PCI compliance questionnaire, and if they meet the criteria, they quickly forget about data security.
You may shake your head and think “No, not my merchants! My merchants know how to stay PCI compliant. It’s not a big deal.” But most likely, they DON’T. In the B2B International IT Security Risks Survey, Kaspersky Lab reported that 90% of the 5,500 companies surveyed had experienced at least one security incident. And nearly half, 46 percent, lost sensitive data due to an internal or external security threat. In addition, the National Cyber Security Alliance conducted a survey of 1,015 small and medium businesses and found 60% of those breached went out of business within six months. That’s a huge percentage of merchants who are losing data, and consequently, money, and ultimately closing their doors.
What you can do
These merchants are your livelihood. Keeping them safe and protecting their revenue is critical to preventing attrition. They need to understand what is happening, and what they need to do to protect their business, their customers, and their reputation.
Talk to your merchants about the importance of data security. It should be an ongoing conversation that starts during the sales process and continues throughout your entire relationship. Remind them of the risk, and what they should do. And above all, help them understand that being compliant at the time they complete a SAQ does not mean that they will always be compliant.
A good way to start the conversation with your merchants is to explain the key changes in the latest version of the PCI compliance standards. Here are the CliffsNotes of what’s new with PCI DSS 3.2.
How do you keep the data security conversation going with your merchants?
* A Level 4 merchant is a business that processes fewer than 20,000 e-commerce transactions per year, and less than 1,000,000 card-present transactions per year.