by Natasja Bolton, Acquirer Support Manager, Risk and Assurance Division
In part 1 last week, I discussed how businesses may be putting themselves at risk by assuming that ‘PCI DSS compliant’ also meant secure, (for part 1 please click here).
Maybe what we should be doing is encouraging businesses to focus less on compliance as an annual ‘tick-box’ exercise and more on addressing risk and information security – that is confidentiality, integrity and availability – as the key factors to ensure they are resilient in the face of cyber threats, insider threats, natural disasters, service outages, etc.
Recent reports have shown that, despite the increased frequency of high-profile cyber-attacks and data breaches, such as the Sony cyber-attack and eBay data breach, many small and medium sized businesses (SMBs) don’t believe they are at risk, leaving themselves exposed to potential attacks and compromises due to lax or insufficient security measures.
A survey of over a thousand British SMBs conducted for the UK Government’s security initiative Cyber Streetwise found that:
“66 percent of SMBs said that they didn’t believe their business to be vulnerable, 16 percent said that improving their cyber security was a top priority for 2015, 22 percent said they “don’t know where to start”
In the UK, the Cyber Streetwise initiative is providing a set of simple to understand resources and materials to tackle these numbers and to bolster the resilience of UK businesses in the face of existing and developing cyber threats.
Further, they are promoting the ‘Cyber Essentials’, not as a compliance standard but a set of security requirements to be applied with a ‘badge scheme’ allowing adopters to advertise to their customers, partners or clients that they take cyber security seriously.
In the US, guidance to help small businesses understand the threat and what they can do to address it is being produced by organisations such as the Small Business Administration and Department of Homeland Security. The Federal Communications Commission (FCC) has produced the FCC Small Biz Cyber Planner 2.0 to help small businesses create customised cybersecurity plans.
Payments industry – should support and promote
I believe leaders in the payments industry (the card schemes, the PCI SSC, the acquirers and others) should be supporting and promoting these and similar initiatives aimed at improving an organisation’s overall security posture not just payment security.
Ultimately those entities that provide the backbone and services of the payments industry cannot themselves benefit and grow if the thousands of retailers that rely on them do not flourish and maximise their business potential.
Small Merchant Taskforce
The PCI SSC has recently launched a Small Merchant Taskforce in recognition that small merchants are particularly vulnerable to attack, usually have very limited resources and technical expertise at their disposal, and often lack the necessary tools, information and education to recover and prevent such attacks.
The Taskforce aims to address these issues by developing resources to help them protect cardholder data and to resolve risks to their business.
We will cover the objectives of the PCI SSC Small Merchant Taskforce in a later blog post and give details of how you can benefit. Sysnet recognises the need for small businesses to build on the foundation of good security that is the PCI DSS, to understand the modern threat landscape and to become more resilient: able to react to, recover from and survive security incidents and attacks.
Sysnet has built SafeMaker for that very purpose. It gives your merchants access to a range of both Sysnet and your own security products and services, aimed at helping them protect their business and maximise sales.
SafeMaker simplifies security for merchants by presenting them with only the solutions that are relevant to them.
- Provide your merchants with access to a range of security-related products and services, providing a one-stop-shop for all their security and compliance needs.
- Instantly presents merchants with solutions to gaps or issues identified by the compliance process.
- Reduce your risk, secure merchants with appropriate security solutions in place are a lower risk to your business.
- Improve your merchant relationships by becoming a business partner.
- Increase revenue through higher transaction volumes and revenue share
Sysnet Risk & Assurance is available to assist small businesses with pragmatic solutions to help improve their security posture and meet compliance initiatives, including achievement of the Cyber Essentials badge.
For more information on SafeMaker and how Sysnet can help you support your merchants understand and address the cyber threat, email firstname.lastname@example.org
If you are a merchant that requires technical or PCI DSS help, please click here