The past seven months have brought big changes to how small merchants do business and accept payments. Businesses who previously had no online ordering and only brick and mortar locations have or are moving to accept orders and payments over-the-phone and through eCommerce. These business-boosting moves increase a business’s risk emphasizing the need to safeguard your business and your customers’ payment data from cybercrime.
Understand the Risk
According to data from the PCI Security Standards Council, “ Cybercriminals are moving quickly to take advantage of rapid changes to payment card data environments. There was a 475% increase in malicious reports related to the Coronavirus in March 2020. Forty-one percent of small businesses that suffered a data breach paid more than $50,000 to recover. Twenty -nine percent of consumers said they would never again use a small business that suffered a data breach.”
The challenges are real and are sure to accelerate with the start of the upcoming Holiday season. However, you can do things today to help your business protect consumers’ payment card data from cyberthieves. In addition to the tips below, the PCI council provides the guide “Protect your business. Secure your payment data,” which will help you evaluate your data security.
Tips for Small Businesses
#1 Reduce Where Payment Card Data can be Found
The best defense is not to store card data at all. If you offer curbside pick-up and take orders over the phone, don’t write the card numbers down; enter them instead into a secure terminal like IntelliPay’s One Terminal 2.0.
#2 Use Strong Passwords
Using weak passwords has been a leading cause of payment data breaches historically. Have a password policy that clearly defines what types of passwords are acceptable and when they should be changed. Passwords need to be strong, combinations of letters, numbers, and symbols and regularly updated. A sound policy should dictate when employees and staff need never to share passwords and change their passwords. You should avoid weak or easily guessed passwords and never rely on vendor default passwords. PCI provides an excellent guide to strong passwords here.
#3 Keep Software Up to Date
Outdated software can contain security flaws that criminals can exploit. Be sure to keep all your system and payment system software update with the latest security patches.
#4 Use Strong Encryption
Encryption makes data unreadable without a specific key. Encryption can be used to protect stored data and transaction data that is transmitted over a network. Many vendors offer Point to Point encryption (P2PE) for their payment terminals. If you are setting up a new e-commerce website, ensure the shopping car provider uses TLS v1.2.
#5 Use Secure Remote Access
Criminals gain access to systems that store, process, or transmit payment data through weak remote access controls. The PCI Council recommends: “You should limit the use of remote access and disable it when not needed. If you must allow remote access, ask your vendors to use multi-factor authentication and strong remote access credentials that are unique to your business and not the same as those used for other customers.”
#6 Ensure Firewalls are Configured Properly
To be compliant with PCI standards and retain the ability to process payment card transactions, businesses must have a firewall. A firewall is simply a piece of software that sits between your network and the broader internet, acting as a barrier to keep out traffic you don’t authorize. Firewalls need to be configured properly to ensure security. Due to the complexity of firewall configuration, we recommend seeking help from a network professional if you don’t have those skills in-house. PCI has assembled a guide on firewall basics here.
#7 Beware of Phishing
A recent article in Forbes on cybercrime found that phishing attacks went up 700% during the first two months of the pandemic. Hackers use legitimate-looking emails and social media messages to get employees to expose confidential information credit and debit card numbers, merchant account numbers, or passwords. Since over ninety percent of all cybercrime can be traced to human error, it is essential that small business owners stay vigilant and on the look-out for phishing and other social engineering hacks. We found a good primer for preventing phishing attacks for small business owners here.
#8 Choose Trusted Partners
It is critically important that you thoroughly vet your vendors. All payments vendors should be PCI DSS Level 1 certified. It is also important to know if any part of the solution they are providing involves sub-contractors. These sub-contractors should also be PCI DSS Level 1 compliant and be following industry best practices for the work they perform on your behalf.
IntelliPay, a provider of PCI compliant intelligent payment processing services for over 16 years, has produced a guide to accepting payments online that is available here.
Adapted from PCI SSC “8 Tips to Help Small Merchants Protect Payment Card Data During COVID-19.”