When a data breach is reported in the media, more often than not it’s the well-known large companies that make the headlines. In reality cybercriminals are more successful in attacking smaller businesses. The reason for this is that smaller businesses often have fewer resources and as a result are less likely to have the latest and most up to date security measures in place.
Consequently, they run a higher risk of falling victim to the latest cyber-attacks and malware. Therefore it’s important that smaller businesses ensure that they are secure from such threats.
So what should a small business do to avoid becoming a victim? To start with, the Payment Card Industry Data Security Standard (PCI DSS) is a minimum standard that should be used to minimise the risk to cardholder data. Furthermore, it is an industry regulatory requirement worldwide. We also strongly recommend the following steps:
Know where payment card data is handled: Identify the processes that handle cardholder data. Understand where it is received, where it goes, where it is stored and who has access to cardholder data. Only then will the business be able to ensure appropriate controls to cover all areas.
Data retention: Do not keep cardholder data for any longer than necessary. Find out why cardholder data is stored and how long it needs to be kept for. Once this is defined, the business can then ensure they remove any unnecessary data that exceeds this defined time. Minimise the risk and consider not storing cardholder data at all by using tokenisation systems (that store random tokens instead of storing cardholder data).
Restrict physical access: Only provide access to cardholder data media to employees who have a specific requirement. Most employees do not need access to archive rooms. Businesses can restrict access to cardholder data by locking cardholder data media in cupboards accessible only to those who need access to it.
Review your systems: Use a secure solution. Consider using a PA-DSS validated solution (software validated by a qualified payment application assessor). As POS and booking systems are often sources of breaches, it is very important that businesses keep their systems secure
Secure/update call recording system: Ensure call recording systems do not store sensitive authentication data (such as the CVV2). Ensure the recorded cardholder data is encrypted (or better still not captured and stored at all).
If you are a merchant that requires technical or PCI DSS help, please click here