Unique security challenges for small merchants
Most small businesses are considered "Level 4" merchants in terms of PCI Compliance, which means they process less than 20,000 e-commerce credit card transactions or less than a million credit card transactions in general per year.
Level 4 merchants face their own unique challenges when it comes to protecting card data and preventing data breaches. They are still required to complete a self-assessment questionnaire (SAQ) and comply with the Payment Card Industry Data Security Standard, but aren't likely to have the same resources, time, and manpower to stay on top of the latest vulnerabilities, patches, and payment technologies to help protect their customers.
Having worked with small merchants for over 17 years, we understand small business security and know it can be confusing for small businesses to comprehend and follow PCI DSS requirements that apply to them.
PCI Council releases tools and resources for small business cybersecurity
SecurityMetrics has worked closely with the PCI Security Standards Council and others in the industry together on a task force to create and promote tools and resources that will better help these small merchants achieve PCI compliance, protect cardholder data, and prevent data breaches.
The resulting The Data Security Essentials (DSE) Evaluation Tool and additional PCI Data Security Essential Resources for Small Merchants were recently released by the PCI Security Standards Council to help small merchants focus their efforts on the most basic, and most "bang for your buck" security practices and include:
Guide to Safe Payments Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help.
Common Payment Systems Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.
Questions to Ask Your Vendors A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.
NEW! PCI Firewall Basics A one-page infographic providing guidance on firewall configuration basics.
What you should know about the new DSE Tool
The release of the The Data Security Essentials (DSE) Evaluation Tool represents an exciting milestone for PCI. The tool can provide small merchants with specialized guidance and help that makes sense for them. And, it's important to understand the following things about the new tool:
This tool does not replace standard PCI DSS compliance. It is meant to guide small merchants to the most important foundational security practices and help focus their efforts in a more realistic way.
Card companies remain the legal enforcement entities in this industry, as opposed to the PCI Council or data security companies. The card companies have always laid the risk and accountability for merchant PCI compliance with the Member Banks and their Acquirers/ISOs.
Acquirers and ISOs have taken varied approaches within their merchant portfolios with regards to compliance requirements and enforcement.
The PCI SSC has created standards and validation tools, processes, and vendor authorization programs to support Acquirer/ISO efforts.
The work product of the PCI Small Merchant Task Force is an additional and optional tool available for Acquirers/ISOs as they work to improve the security and compliance of their merchant portfolios.
SecurityMetrics embraces the new PCI DSE. The PCI SSC has created a minimalist approach for small merchants where the most efficient quantity of security controls and practices has been identified and are expected to provide a majority of the security benefits to these merchants!
This is a fantastic approach to security and a benefit to the industry.
SecurityMetrics supports the PCI DSE
The new PCI DSE is a tool that will simplify compliance, increase payment security, and make both merchants’ and acquirers’ lives easier. We’ve incorporated the new tool into SecurityMetrics FastPass so that acquirers can choose to incorporate it into their security or compliance programs.
Robert Reid, our Director of Product Management, has this to say, “We're excited for the PCI Council's new payment security tool—DSE. When combined with the personalized scoping accuracy of SecurityMetrics FastPass, it extends the simplicity of discovering the most accurate path for securing a merchant's credit card environment. All of this is incorporated in our simple, easy-to-use online tool."
SecurityMetrics provides regular content and support for acquirers and merchants of all sizes. Support materials like our 2018 PCI Guide, IT Compliance Checklists, and our cyber security training offerings are just a few of the ways we provide support to merchants and help secure the entire payment ecosystem.
JB is Senior VP of Technology at SecurityMetrics, and is responsible for growth through leadership, networking, and product innovation. He is a 30-year veteran in the high-tech industry, specializing in innovative software for IT and business. With a bachelor's degree in Computer Science from Brigham Young University, one of his first jobs was as a COBOL programmer at U.S. Steel. JB has held several senior management positions at companies including: Broadway & Seymour, WordPerfect, and Novell.