New to PCI Compliance? Get the PCI Compliance Support You Need

Listen to learn actionable advice for your PCI compliance support needs, whether you're starting your PCI compliance journey or looking to improve your existing processes.

SecurityMetrics Podcast | 106

New to PCI Compliance? Get the PCI Compliance Support You Need

Are you a small-medium business owner? Did you just get a message from your bank telling you to call SecurityMetrics? Are you worried about having a bad experience? Do you know what PCI compliance even means? If any of these questions apply to you, this episode is for you.

Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) sits down with SecurityMetrics Director of Technical Support Brad Nelson to discuss how SecurityMetrics can help you navigate this regulatory landscape.

By watching or listening to this podcast, you'll learn:

  • Why your processor is making your organization do PCI compliance: Besides being required by card brands, nearly half of all cyberattacks target small businesses, which in many instances would not have happened if they were PCI compliant.
  • What calling into SecurityMetrics looks like: Learn what information you need handy so you can get your compliance done as quickly as possible, and the questions you should ask to get the best service.
  • How other companies are successfully implementing PCI compliance: Discover how other small businesses have successfully leveraged SecurityMetrics to achieve compliance.
  • What are some of our top PCI compliance tips and tricks: Get practical advice on how to optimize your PCI compliance efforts and minimize risks, keeping your business and your customers more secure.

Whether you're just starting your PCI compliance journey or looking to improve your existing processes, this podcast will provide valuable insights and actionable advice.

Resources:

[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.

Transcription of New to PCI Compliance? Get the PCI Compliance Support You Need

Hello, and welcome back to the Security Metrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at Security Metrics.

Just take a moment to tell you we have a huge back catalog of a lot of topics. So if this is your first time here, welcome. Super happy that you're listening. Take a look and see if there's other topics that might be of interest to you.

But I am very excited about the topic today because it is about support specifically for small businesses. So I have Brad. Brad, please introduce yourself to to people and let let them know Yeah. A little bit about you.

Yeah.

My name is Brad Nelson. I am the director of support here at Security Metrics. I I run the the tech crew upstairs.

All the the geeks and nerds that are gonna be answering your phone calls for Security Metrics, and, PCI compliance in particular.

And it's a really important, job because so many small businesses need help.

And I think that's, that's maybe that's a good place to start. So why do we even have a support team to begin with? Like, what is it? What's the problem that your group is solves for people?

The point is just so freaking technical Yeah. And difficult to get through. Yeah. To be blunt, probably sugarcoat that, and make merchants feel better, but that's what they call in about.

They're they're frustrated, and confused. You know, mostly they're confused about why they're doing it. I I I would love it if our partners and banks in general would would give them more information before they send them to us. But a lot of them just say, hey, this is a requirement.

Call security metrics.

Yeah.

And we get them on the phone, and it takes our agents about ten minutes to explain to them why they're even calling us and what PCI compliance is about, why it's important.

And they a lot of customers don't understand that, you know, there are malicious attacks every year and businesses get compromised all the time. I mean, I I wrote some some statistics down here, and I don't know if you've read the bottom, but there's just a ton of money getting lost by by businesses and businesses, small businesses in particular are getting hit, not just the big one.

Yeah. I noticed I I really like those statistics that you, put there. And, actually, there's a really good link that you have there. So, we're gonna put the the link in the in the notes.

Resources for small businesses, cybersecurity statistics, I think, would be a great link for people to understand, especially things like this one. Forty three percent of cyberattacks target small businesses.

Why? Probably because it's easier to get them. Because they don't have security.

Because they don't have security. Exactly.

You go for the big ones, and they have all the bells and whistles.

But a ton of small businesses think they're not a target because they're too small.

Oh, agreed. Oh, you would be amazed at how often these these phrases come through to agents. They call and they say, it's just me at the business. I bought their device.

It I I don't you credit card data doesn't I don't even touch it. They don't realize that it goes through their network, which they own through their devices. Mhmm. And they think that whatever they purchased is that's the that's the security they need.

But Yeah.

And here much further than that. Here's a devastating statistic, which is the the number of small businesses that are victims of cyberattacks that go out of business within six months.

I'm glad you brought that up because I I I would love for people listening and merchants listening to understand why PCI compliance is important and why being secure is important. Yeah. We have fights on the phone all the time where they don't wanna do it, and we're just here to help. Yeah. We're not here enforcing this.

We're just here to help, but they they look at us as the reason they have to do it.

Why are you making me do this? Yeah. It's because of this. Sixty percent. Sixty percent of small businesses.

It's a lot of money.

Go out of business if they're victims of a of a cyberattack.

It's unfortunate.

So, there's a lot of really good statistics there, and we can go over a few more of them later or put the the link in in the, podcast notes. But, I think it's really important just to kind of frame it that way, you know, why people are doing this. And and so so your team, basically, you'll get people that call in and say, my bank or my processor or my credit card company, like, whoever lets them take take credit cards says I have to call you.

Yep.

And then and then your team is left to explain why.

Yeah.

Yeah. Why is your team making them do PCI? Uh-huh. No.

It happens so often. And the poor agent, you know, who's getting paid minimum wage to to answer the questions is just like, sir, I I it's just a requirement from the, you know, the PCI Council is the five hundred. And they go through the whole steps.

And by the end of it, we have people who called up really angry, happy with with the service.

Well, you know, what's great about that is it's also it's a really good place to start for people who are interested in either cybersecurity or PCI compliance who are looking at at a career path there.

That's a great thing about security metrics. It's probably one of the best things.

Yeah. Yeah.

You can come in through, this this, you know, support job. Yeah. I've have a list of twenty, thirty people who have turned into developers. You have someone Yeah.

On the audit team. Yeah.

Yeah. And these are six figure jobs.

Yeah.

And they started out in, you know They started off not getting paid a lot in support struggling through it with small merchants.

For those of you listening, we actually pay them pretty decent, but it's it's an entry level job.

So No.

This is it really is a good place to work. And, and I think that also that makes people actually care about helping merchants. Like, your team isn't there going, these people are just annoying and bothering us. There's actually a real set of values there in helping merchants understand what they don't understand.

Well, there's a there's a culture here at Security Metrics where everybody, just wants to help and help people be secure so they don't have, you know, the the the malicious attacks and and get at you know, run out of business if if Yeah. Yeah. I mean, Caldwell's original story is about helping.

Yeah. The the owner of the company and CEO.

Yeah.

That's he had a a breach that stole information from him, stole data, and he decided to make a whole business about not ever letting that happen to someone else.

Yeah. There's a lot of heart behind that. So so when when merchants do call in for obviously, it's because they're not yet doing PCI compliance and they're and they should be. Right?

Eighty percent of them haven't even heard about it before.

Yeah. And and the thing about PCI compliance is it's not just about being compliant with the standards. It's it's about doing the basics of security to keep you from losing credit card information.

Yeah. And we do our best to point out, the the flaws in their security, but with our scan.

Yeah. Right?

We have a vulnerability scanner, but we also go through the security standards with them. And we won't just point out what what it's talking about. We'll actually give options of, well, you could do this or that. You know, you have options. You don't just have to follow every security standard. You could have the CCW or the the compensated controls if you want.

Yeah. There's different ways to to accomplish the same thing as long as we're addressing those Yeah. The root, risk Yeah. That the security controls are intended to follow. But I think let's start with the beginning of what people get confused because they're here they are. They're they're supposed to fill out an SAQ. Right?

Uh-huh. Self assessment questionnaire for for you layman's out there?

Yeah. They asked and you probably if you do PCI as a small business, you probably heard SAQ or some people call it a SAC.

And then but there's different flavors, so to speak Oh, yeah.

With different letters.

Is there eight or nine?

So we've got the s a q a, the a e p Uh-huh. The b, the b I p, the c, the c b t, and then the b and the h p e. Mhmm. You got them all.

Yeah. There we go.

Or the full rock if you are big enough Yeah.

To do a full rock.

Ones and twos.

Yeah. Levels one. But but for the people calling into support, it really is about the SAQ.

Yep.

And and I think one of the the the reasons why so many groups get confused is, first of all, they don't know which SAQ to fill out.

They don't understand scoping in general. Yeah. They actually you know how often we have people think that the scoping question because our compliance department downstairs will handle that part, you know, and and take the the fee, and then they send them upstairs for support. They thought that was the questionnaire.

Oh, and it was just the scoping.

It was just the scoping.

Yeah. It because it starts with what are you protecting? People can think of it this way. What's the potential risks? What the potential threats against in your environment, the way your environment is set up, that's what the scope is. Right?

So your SAQ depends on scope, depends on data flows because there's different types of threats depending on how you're how you take How how card how much exposure of CC data happens on your environment.

Yeah. Is it segmented? Is it is it just isolated? Or is it the whole thing?

Exactly. Do you do you have a a kind of a gut feel for for which type of SAQ you most get calls about?

Oh, we even have data on it. A's are very common because of ecommerce. Yeah.

The next would probably be a c.

Mhmm.

But you'd be amazed at how many people actually store credit card data when they don't need to. Yeah. That that's actually one of my recommendations is minimize your scope.

Yeah.

And you don't have to do as much.

Exactly.

Stop store.

Like, we have like these, fest Mhmm.

Who call in with these. Mhmm. And it's because they they put on file credit card numbers so they can do billing Yeah. After the person leaves. Mhmm. Sorry.

If you'd stop doing that.

Yeah. Do it a different way. Yeah.

Do it a different way.

Get a third party to store it for you. Or Well, you can do it on paper, I guess.

Yeah.

But you can't do it electronically.

That's true. You can do it on paper and be, and and have a smaller scope. It's interesting because just last week, I had a consulting call. And and sometimes we, as auditors, we will consult with small businesses.

It's it's not just the the audit depart or excuse me, the support department Mhmm.

Where they really want someone to walk through every question with them.

And so I got to have a little bit of a kind of a view into what your team Mhmm.

Gets and the number of questions. And like you said, knowing even where to start with their questions.

So I I they were required to use a portal supplied by a third party, not one of our portals Mhmm.

To satisfy I think it was, one of the one of the card brands specifically, like, maybe American Express had its own portal for questionnaires that it it wanted them to do. But they had to to go through this portal. And so I walked through it with them starting with the scoping. And even knowing how their information was being taken in and what to do you know, how what their responsibilities were was hard.

And and, specifically, let me give you example. They thought they were an SAQA Mhmm. Which means a third party takes care of all of your Mhmm. Credit card information, intake, and, you know, take care of your whole website for you.

You don't interact with it.

You don't interact with it. Well but it wasn't true.

Yeah. What they had, yeah, what they had was an iframe that in took, account data, but they were responsible for the website, for the web page that that was in.

So that means they were not an s c q Well, especially with four point o now that says that's it.

Yeah. They were an AEP. Right? And and that's for people who are not familiar with it, you're like, what does that even mean? That's exactly the point that we're trying to make.

Yeah. A new merchant's watching this. They're like, what acronyms are they throwing in out? I don't understand a word. And that happens every time someone calls into support.

Exactly. Exactly. And so I think the important thing about having a support team is that your crew, they know what these acronyms mean.

Yeah. Yeah. We train them, extensively, and they they can walk through the questions and explain to you what the question one of the most common misconceptions, which, I don't mean to upset merchants, but they call in thinking we're gonna answer it for them.

And we have to explain, I don't know your network. Yeah. You have devices and policies and procedures and and things I can't see. So I can't answer it for you.

Yeah. I can help you understand the question. And but they want us to and they're like, hey, can't you just come over and do this? We're like, where do you live?

Virginia? Okay.

Well, if we did that Get on that plane.

That's a few thousand dollars just to get to you. Yeah. And then we'd charge for the service. It's it's much easier if they just find a local IT specialist. Mhmm. Especially one who specializes in PCS compliance.

Because they're out there.

Yeah. So in a few hundred dollars, it'll be easier on you than you trying to figure it out yourself.

Yeah. There's a few basics. So we talked about the confusion between a and AEP. Very common.

Yep. Another, common confusion that I see is between the BIP and the p two p e because those are both about swiping your card in a device. Well, if you're a merchant and you have a card, swiper and they're you know, people are using that to pay and you and you say to them, is it point to point encrypted? Mhmm.

They have no idea. Yeah.

Why and why should they? Right? They're not they don't run this business in order to be experts in No. PCI.

This is why I was saying this earlier. I wish banks and especially, like, the sales persons who were selling these systems would explain PCI along with the the devices that they're giving them and and how it works.

Yeah. And what the advantages of one over the other?

Well, then that we have a problem, a conflict of interest there. Right? Because some of their systems are gonna be more expensive than others. Mhmm. If you're a salesperson, you get a commission, you wanna give them the Uber system. So telling them the smaller system's gonna do what they need probably is a conflict.

That's probably true.

But don't get to talk about when we talk to our merchants.

I tell people all the time go to P2PE.

Oh, yeah. At one point, Chris.

Yeah. It's easier. And and it is going to be slightly more expensive. It's probably more expensive for the initial install, and it's probably more expensive per swipe.

But better security.

You don't have to spend any money on that.

And you have to do so much less when it comes to, making your environment secure.

That's why minimizing your scope is very important if you can. Yeah. Yeah. There's one of the questions that we were we were gonna talk about, which is, how can we help our customers speed their compliance.

Yeah.

I wanna make sure we hit on that because understanding your network Mhmm. Looking into what devices you're using. I'm not expecting someone to, you know, become a technical expert. Yeah.

You know, within a within a week. But if you could at least understand your business, devices and maybe the processes that you're you're putting on paper Mhmm. Where you're storing those. You know, what are you doing at your business?

You learn that first and then do your rest of your queue, it's gonna be a whole different world. You're you're gonna be able to answer things a lot easier and quicker.

Yep. But if you don't know that from from a base and Yeah. And, honestly, PCI isn't super helpful in that because the very first of the twelve major requirements, the first one is, how do you deal with NSCs?

And everybody's like Yeah.

What's an NSC?

And what is that? Right? Compensating. Your network's configured. Yeah. Your network security controls?

Yeah.

Yeah. Because if you if your network is in scope, if you're not using p two p e, your network is in scope.

You know, it's funny for a while.

We've just been calling that section firewall for years. Yes. But now they just changed it.

They changed it to you know why they changed it to firewall? I think it's been from firewall? Is excuse me. From firewall to NSC.

Well, it's more descriptive.

Everybody kind of understood what firewall meant.

But now that everybody's in the cloud So you would be amazed at how many people don't know what a firewall they call in and say, what is this?

I don't know what that is.

And it's okay that they don't know because, again, merchants aren't expected to know this.

But you should have a technical person that you trust.

That's what I was just gonna say.

If That is helping you put together your business.

Yeah. It if you have if you have to do PCI and you don't understand the technical aspects of your business, what's the fastest way that they can get this done and taken care of? That's what you just said.

Yeah. Yeah. I I don't like I said, I don't expect you to to go to college Yeah. And get a degree.

But, you need somebody who actually did if you really wanna be secure. Yeah. Unfortunately, we get a lot of merchants who call in and just think it's a checkbox experience and they just don't want to get fined or they don't want their their bank bothering them anymore. So they go through and just answer the questions.

But they're not secure.

It's yeah. It's tempting to do that, but it's it's not helpful. The whole point of this is to make sure that that the merchant is as protected as possible from these breaches that can get very expensive.

Oh, yeah. That's why I went and got some of those statistics because I thought it was important to talk about the reasons why people need to do this.

Yeah. Yeah. Exactly.

So people come to you in support. They're confused. They're frustrated. First of all, they don't know why they're supposed to do PCI.

Yeah.

And then the second is they don't have the technical knowledge to answer all the questions.

A lot of acronyms in that thing.

Yeah.

A lot of actually difficult, topologies and network solutions. And, it I mean, I went to school for this, so I I can understand most, if if not, you know, all of it. But for me to for me or even you to go and and implement these things?

It's not easy. Yeah. And it's not easy to even care. So one of the things that struck me is I spent over twenty years in IT before coming here Mhmm.

Before coming to security. And PCI uses standard, IT language in a nonstandard way. So even if you have familiarity like the word segmentation, do you use segmentation to limit scope? Mhmm.

That's a that's a good question to know because it it's going to affect what you have to answer.

But if you don't know that PCI means segmentation okay. I'm gonna be a little bit technical here. Sorry, merchants. If you think segmentation just means that you have VLANs and you have subnets, that's not what PCI means. When they say, are you using segmentation limit scope? What they mean is the stuff that you're declaring out of scope, can you show that it doesn't communicate in any way with things that are in scope?

Yeah.

We're in firewall rule that shows Excuse That's NSC.

Oh, sorry. The network control. My bad.

Yeah.

And so this this is the why we're trying to explain merchants struggle with this, and they should. Not that they should, but it's understandable that they do.

Completely understandable.

So so when you let's maybe talk people through what that experience is for getting help from, the Security Metrics support team. Their bank has said, okay. You need to give us an SAQ.

You want a day in the life of a merchant calling in to support?

Yeah. Tell me about how that goes.

First, I wanna pat myself on the back because getting to Security Metrics support, I recently had some fraud on my credit card, and I had to call my credit card company. And I had to call, UPS, and I had to call several other places. Oh. And they had this AI that I answered the phone, you know.

And it's it's like, hey, tell me your number. Tell me why you're calling in. I had to say it, like, three times. Never understood me.

And I I won't get into the details and and bore everyone, but it was a horrible experience. And it took me ten minutes to get a hold of somebody, and they transferred me eight times. That doesn't happen at SecurityMetrics.

AI doesn't solve all your problems?

Well, I I I'm interested in seeing if you could add it in, but we don't use any of it. We have a very minimal IVR, which is the recorded voice. It just says, do you want English or Spanish or French? Once you pick, you hit an agent immediately. We usually answer the phones in under fifteen seconds. It's ridiculous. And then that person will stay on the phone with you the entire time until you're done.

Wow.

Yeah. Maybe an SAQD, they may ask for a break because those are three hundred and eighty seven.

Those are I would ask for a break.

Yeah. Well, yeah. I mean, if you're actually gonna fulfill the the implementations, there's no way you should be doing an IRON one phone call. Mm-mm.

But if you're asking, like, what's this? What's this? What's this? You keep still in the phone for, like, two hours on an SAQD.

Yeah. But, you know, everybody else really, they'll walk through the whole thing. And then, you know, if you need a ScanTek, they'll transfer you over to ScanTek, and that happens like that too. It's it's a very I mean, we we get compliments on our feedback constantly about how quick and friendly our our agents are.

So Oh, good.

I just want everybody to know that you call in to support, you're gonna be taken care of, and you're gonna be taken care of quickly is the point of all that.

But what happens? You call in. You say you don't know what you're doing.

Usually, we already have your account information because we are partnered with, the bank. If you're non partnered, we still have information in the system. We'll look you up. We'll ask you to identify yourself, with your merchant I ID because for security reasons, we need to make sure that we're speaking to the right people so we're protecting information. Right?

So that actually, people get annoyed with it, but we have to be scared.

Right? Because they have to go look up their merchant ID. Yeah.

They have to go look up their merchant ID.

Why would I know this off the top of my head?

You wouldn't be amazed. They don't even know what a merchant ID is half the time. Yeah. I it surprises me. But, yeah.

They, like I said, banks aren't They don't.

They don't share a lot beforehand.

Yeah.

They just kind of dump it in our lap and say, you know, figure it out. But that's what we get paid for so that's fine.

The next thing, if you've already got an account, you're you're already scoped. But if you're not scoped, we we'll scope you, unless we have to send you down to the the sales department, the compliance department Mhmm. Depending on we can't take money. We can't make the purchase if it hasn't happened yet.

So if you get to support, hopefully, it's already been So there are a couple of reasons why you might be, handed off to someone else before you get your question.

The weeds, though.

But, hey, people wanna know.

But once you're in there, usually, it starts off you know, we'll explain the portal. We'll get you all set up. If you don't know what's going on there or your password or whatever, we'll help you get in there. Yeah.

Then you'll see the the SAQ in your dashboard, and it'll say you're not compliant, and you'll get frustrated. And then we'll explain, no. You just need to go through this, and then, you know, do your scan if if you have one. Most people do these days because of four point o.

Yeah.

And you'll be confused by many of the questions, the security standards, and you'll ask what does this mean? Mhmm. And they'll explain it to you. Many merchants, again, like I mentioned, will will say, well, how do I answer that? And we'll say, well, do you do this or do you do that? And in some cases, we can get that answer right away. But in many cases, the the merchant will need to go verify how how their devices, work and interact with the credit card data.

So once they get started on that portal, let's say you only go so far and then they're like, I don't I need to go find out some information. When they go and come back, do they have to start again from the beginning?

No. No. Everything's saved.

Okay.

No. That's absolutely. That would be a horrible experience.

Wouldn't it?

Could you imagine? Start over. You're on a three hundred and eighty four, you know, quest security standard question.

Would really not be good.

No. No. In fact, when you call back you you get an agent again just quickly.

Sometimes you might even get the same agent and they'll remember you. But, no. It's it's as long as you can answer the questions, you can usually do an a in, you know, half an hour.

Mhmm.

Well, probably in less than that fifteen minutes. Yeah. I mean, there's about thirty agents on the floor at any given time. But Yeah. Yeah. We're actually twenty four seven which, difficult to do but we're there.

But we have, customers that are overseas.

Oh, yeah. No. Of the UK. We we have a whole UK shift.

Yeah. Well, so so we have a well staffed team. They have a a lot of knowledge. They're able to help people all the way through. I mean, they have enough knowledge that, like you were mentioning earlier, we have had people from the support team that got, transferred to to become associate QSA.

Still are people.

So we have, this whole experience that you and one of the parts of the experience that you mentioned a couple of times was the scans. Yep. So let's talk about that. We are an ASV. Uh-huh.

Yeah.

We have a certificate we have to pass every single Yeah. In order to to hand out these To validate.

Yeah. Yeah. PCI validations for scanning.

PCI won't let you do scans unless you're validated.

Yeah. And that is part of if you're doing an s a q. I think all of them require scanning now. Nope. Nope. Not p t not p to p e and not b.

Yeah.

Yep. Sorry. Just kidding. So no.

If your network is in scope, then and you have an external Well IP address, then you need a a We're actually coming across, A's that actually don't need some scans.

If there's entirely third party.

Wanna bring up the the company that but they have, like, this invoicing where the the person who who's, you know, asking for the the credit card info. All they do is send a a link to the customer.

Yep.

And that's And that they have nothing to do with anything else.

That's still an SAQA, but pay by link. So if you are e commerce and you have people, you know, talking to other people on the phone, pay by link is the best.

Yeah. Because it removes a scan. Yeah. So There's nothing to scan.

Yeah.

So when people ask, how can I reduce my, the scope of my assessment, pay by link rather than taking it online Used to be iframe?

Yeah. It's not iframe anymore. We used to love iframes because it took so much out of scope.

People skim.

Yeah.

And then just like the physical stuff.

Yeah. That's where we're seeing a ton of the of the, stealing of car car data now is Yeah.

It That's why the monitoring is coming small. It's in a standard. It's gonna be due in March.

Yeah. So if if you're if you're taking credit cards in person, it should be P2PE. If you're online with people, it should be a pay by link. Like, those are ways that you can reduce your scope. And for a small merchant, there are also ways to to use, paper rather than any kind of digital.

And and you can electronic storage that gets you in trouble.

And and, honestly, if you're a merchant and you're looking to to reduce scope, sometimes your, you know, support team might be able to help them. Sometimes you might pass them on and say, hey.

Go get a few four consulting hours from a from a knowledgeable QSA It's happened.

Can help people Yeah. You know, figure out exactly how to Yeah. And I'm not gonna say game the system what I meant because it's real. It's like there are ways to reduce your, compliance footprint.

Your your credit card flow. If you minimize it, how it interacts with your systems, you could have half your business that it doesn't matter about. Right? Yeah.

I sometimes because if you get a deal like with an IP address or whatever, you get two. Yeah. Yeah. One physical.

You don't even have to do the logical firewalls. You just have one dedicated to your your credit card data and the other IP or the yeah. Yeah. Internet service provider, Ethernet coming in.

You gotta keep them separated. So Yeah.

So there you go. Oh. Oh, you're Gen z.

Do not make me sing. I am I am Gen x one hundred percent, and I try not to show it too often, but clearly it comes out.

So this is great if we're talking about okay. We've talked about how to reduce your your potential, compliance burden. We've talked about what to expect when they call in to support a little bit more about the vulnerability scan. Sometimes they'll get a vulnerability scan and then not know what to do with it.

Well, it is one of the more confusing aspects of PCI compliance because it's purely technical. Right? I mean, we're talking about code that is written. Hey.

We found this, and this equals vulnerability. Yeah. You need to remove it. And people are like, what?

What is that?

Fortunately, most people don't manage their own websites or develop their most Yeah. Sort of websites.

So, they can hand it back to their developer or Right.

The problem is when they're using, you know, a service like GoDaddy or or one of the other web hosting.

Or not Shopify because that's more Yes. Hundred percent.

But if there's a, if if they have a WordPress site Well, I I'm gonna go more into the the people who's that you buy the servers from.

Right? You put your website on a server. Mhmm. So that's that's your web hosting provider.

Right? They often like to they use shared servers. So you you don't own that that machine. Yeah.

So you can't control the security of that machine because you're sharing it with a hundred other people.

It's true.

So they can't the the company can't change the rules just for you because it affects everybody.

So then you have to get a dedicated server which causes you to spend more money which is another one of the things that happen to support that, you know, they get this bad news and they're upset about it.

Like Well, nobody wants to spend more money on, security if they can find a way to to be more secure without spending that money. And and I get it. It's it's hard enough being a small business, and then you have just cost after cost that you didn't see coming. Uh-huh. Cybersecurity is one of those.

Well, I can tell you stories. I I had guys calling in, and he was on a sea. And he was going through it with me, and I'm telling him, and this is what you need to do this way. He got halfway through and he said, you know what?

This isn't worth it. And I said, well, what are you talking about? He says, well, for me to implement what we've talked about so far, we're talking somewhere in the range of ten he was a medium to large sized business. He's not a mom and pop.

Right? He said, I'm gonna have to implement about ten to fifteen thousand dollars worth of new devices. Mhmm. I'm gonna have to get somebody to do that and, you know, he's adding that all up.

And he gets charged a a noncompliance fee from his from his service provider, which I think he said was, like, fifty bucks a month. Oh.

So he's like So he did the math.

My risk and cost analysis tells me that I don't need you anymore. Goodbye.

Oh, no. That's one of the lowest noncompliance fees I've ever heard of. I I usually hear it.

Gone up since I was on the phones.

But The standard that I hear is about five hundred a month when when I know when they start being noncompliant and over time. But, really, the bank wants you just to be compliant. They just want you to be secure.

Well, yeah. They don't wanna have the risk. Yeah. Right?

Yeah. Exactly. Exactly.

It falls on them. I mean, they can push it somewhere else.

But Right.

And a lot of merchants want want to be secure. They don't wanna cause a problem for their customers.

Most. Yeah. I have another story for you.

Oh, no.

I had a gentleman call in and he was fighting me, you know, why do I have to do this? Why do I have to do this? And I finally hit him with, sir, when you go to a restaurant or you buy something from a company, you expect them to protect your credit card. Right?

And he goes, yeah. Of course. And he kind of stopped mid sentence, you know. And he's I said, well, don't you wanna protect the people you're taking credit card data from?

And he goes, yeah.

And then we continued from there and, you know Well, I'm glad he didn't say no.

Yeah. Right. But yeah. No. That's actually a a really good point that helping people put into context, what is it? What exactly is this for?

But then I also get, something similar where I'll get somebody, like, from the IT department that I'll be doing, consulting with or something like that. And they are not compliant, and they know they're not compliant.

And what they're looking for was someone else to tell the senior people who are spending the money they're not compliant and the the potential security risks of that. So sometimes we'll get requests for, like, a risk assessment or even just some consulting with an opinion Mhmm. And, things like, well, I've been telling them we really just need to go to p two p e. And and and how many of these would we have to answer if we did it this way? How many would we have to answer if it's this way? And then they can go and take and present to their leadership.

Look. I have to put in all of these controls if we stay doing what we're doing, or we could change our processes and not allow these behaviors, and we could do this. Or we could actually change how we take credit cards, from a device perspective, and this is what it would look like. And so sometimes, the the people that that we get to talk to just wanna look at what are my options, what it's gonna cost me over time.

For that company.

Yeah. And and they don't have a way of you usually figuring that out without having someone who has seen a lot of different implementations of a lot of a lot of different types and be able to get that experienced knowledge from us.

Very important. I I would agree. Unfortunately, most of the customers that that we're talking about with me that that are calling in, they're level fours. They're mom and pops.

They're small. They've only got a couple of options.

I mean, we we have we you know, our faster pass, the fast pass that we use? Yeah. One of the questions is, are you the only employee? Yeah. Because we get that often enough that we had to put it in there.

And and that I mean, that's a really great question because if they're the only employee and they don't have answers, then it kind of helps you guide, well, how do we get these answers?

Well, it it really helps with policy questions. Right?

Yeah.

If you don't have employees, you're not gonna have to have, like, half the policies.

Right. Do you have a policy for this? Yeah. No. No. Because it's just me.

Yeah. Yeah.

I think those are some really interesting things and, the knowledge for small merchants on what this is all about and how support can help them.

What what else if you're if you're, you know, talking to small merchants, they're looking at PCI, the the bank has told them you need to call Security Metrics. What would you like them to do that's going to help them prior to calling in?

Well, we mentioned it before. Learn learn your business, your devices, your network, how your devices are talking to each other. You What did you purchase from your service provider? What kind of system is it?

A lot of people don't even know the difference between an ethernet line and a phone line. Yeah. An RJ forty five jack versus We have to say these things. Is it a blue wire?

Is it flat? Does it have a smaller head than the other one?

Yeah. I get it. And and merchants shouldn't feel embarrassed about not knowing these things.

Oh, we get it.

That's not I mean, that is absolutely not the core.

So they can actually understand.

It's our job to to make things to really distill it to its most essential so that the questions that we ask, that your team asks, helps guide them in the giving the right answers because security code controls are not gonna be correct. This the SAQ is not gonna be correct if we don't understand the scope to begin with.

Yeah. Well, there's there's a lot of things they they they can do. Most of it is is teaching themselves, you know, about their own systems.

Many fight that, though. So when I say that, I I we have a lot of people just think that they're gonna call in and get everything done in five minutes. If you really wanna be secure Yeah. That's not gonna happen.

So so take the time to at least have the information about their systems available. Uh-huh. And then understand that they need to set aside time when they do call in, take the time that it takes to to to get the questions answered, and understand that possibly they're gonna have to suspend the call, go find out some information that they didn't have, and then come back.

Yeah. And because we answer so quickly, it shouldn't be a problem.

A lot of people, they they have this frustration that I mean, I have to call back because they're used to some phone because they're used to the experience you had with the, artificial intelligence.

Twenty minutes to actually get back and talk. No. That's not gonna happen. You you're gonna get somebody in fifteen seconds.

Yeah. This honestly, this is why when I travel, I will not use the Delta, chatbot because because it doesn't it's AI, and it doesn't understand half the things. Like, if I've gotten to a point where I have to ask a question, then I need a human to answer it.

So I immediately spam agent agent agent four zero zero on the phone.

Give me a human.

And the AI is yelling at me like, I can't do that.

So so, long story short, call into Security Metrics and meet a human.

Yeah. You'll get an actual human.

Well, anything that I've missed in this conversation?

A lot of people ask us how our scanner works.

Oh. Yeah.

I don't know if everybody would be interested in that.

For well, I'm interested.

I I can give the basic story of our our scanner because people don't understand what is it what is it doing and how does it work.

Let's go over that.

Okay. The scanner, it is it's based off of the the n the NVD, the National Database of Vulnerabilities. Uh-huh. If you don't know what that is, go look it up. There's an actual database of all vulnerabilities.

Mhmm. Vulnerabilities that exist that we know of in the world.

It's run by NIST, which is part of the federal government. Yeah.

Anyway, I that scanner uses that database and those vulnerabilities, and it will scan all sixty five thousand five hundred and thirty five ports Oh my goodness.

Which is not the same thing as a port you plug into your router. Think of it as a, a logical I like to think of it as of highways of information.

Mhmm.

You know, each lane is a different service.

Yeah. It's code set up to intake Yeah.

Yeah.

So information in a different way.

Will be set up to to ingest emails. Right? Your your SMTP or your IMAP or your POP three or whatever. Mhmm. Some of it will be for, web services, you know, HTML, you know, eight four three. Like, it's been a while, but I think that's the port for for, web traffic HTML.

Anyway, so it'll scan all of those ports to see, and it'll just send a message say, hey, are somebody there? And if your system says, yeah, we're here. What do you want? And then we'll start start going against all of those vulnerabilities looking for, are you vulnerable to this?

Are you vulnerable to that? If it finds that, it'll put in the report Yeah. And it'll tell you, hey, you are susceptible to these attacks. Yeah.

So, what that means is call our Scantec and they'll explain to you what you need to do. You know what's crazy is half the time that they're getting deemed these these smaller merchants bigger merchants are different. They have all kinds of things, especially on websites. You have cross site scripting Yep.

And injection Mhmm. And a and a bunch of different things that can happen on a website.

You know, they they have their directory showing or something that that gives all the different things that that an attacker could go after and, you know, it gives them a list of of of known surface attacks. You don't wanna do that. Right? Yeah. But the the smaller ones, it's often camera systems.

Oh, interesting.

Yeah.

Because the camera systems has has usually, like, you know, a GUI interface Yeah.

Where you log in and you can go. And so that's an attack surface and, well, you don't have to have a remote function. If you turn off the remote function, we're not gonna flag you for it. And I I can't tell you how many times that that has actually been the story. But you you go look at the results and it's telling you you have to go fix the authentication for that login, which is way more difficult. Plus, it's a third party system. Right?

You know what? Gonna do that? I've had a a customer that had this very issue. And and what was crazy is, like, why why do you have your camera system, as part of your PCI?

Yeah.

Why you have it hooked up to In the end, they didn't.

It wasn't it wasn't part of their scope, but they had given these IP addresses to the scanner because they didn't know not to give those because they didn't realize, oh, they it doesn't communicate. And so I understand. So so getting back to what is your scope, knowing what communicates with what, you're going to protect yourself from having to do all this work to shut down ports in a system that's not even part of your PCI scope. Right? So the it it starts feeling technical because it is technical. And that's why sometimes there's advantage in getting someone with IT knowledge to help you as a small merchant.

Common sense solution, and it's easy to do. And even I mean, I had a guy call in who had a sonic router, and he was getting flagged for, you know, a login page because he had remote access on.

Yeah.

So I said, well, turn that off. He said, how? And I said, well, I I don't own Sonic, so I can't give you support for that. And he begged and he begged, it's against our rules to do this. Yeah. To give support.

Oh, no. Yeah.

If you were more helpful than you were supposed to be.

Well, so I go, hey. Look. Every router has a LAN and a WAN. Uh-huh. Okay?

You just turn off the WAN, the the wide area network. And so this the LAN, you could only hook up if you're inside the network. Yep. So if you turn off the WAN, this will no longer flag.

And he goes, okay. Let me do that. So he says he did it. And I go, okay.

And then he stops me and he goes, hang on a second. I just lost all network. I I don't he had turned off everything.

Oh, no. Yeah. Well, you can't turn off everything because then that's not gonna communicate. Back in. Oh, dear.

So I was terrified. I thought he bricked it.

I I had to show him the where the reset button underneath the router, which is another thing I'm not supposed to be doing. So giving them too much support can actually be a problem.

You are a cowboy for sure.

My my favorite there being overly helpful.

I don't know.

My favorite story is, a guy called in and he had a camera system that was causing him to fail, and he said he was absolutely secure. He knew more than I did. So I needed to just remove it from the scan. Right?

Okay.

Very, very obstinate gentleman who owned, some kind of fish store, aquariums and whatnot. So as he was talking and and braiding me for for not understanding his situation, I said, hey, do I have permission to, get into your network if I can? And and he said, yeah. Go ahead.

You will not be able to. So I went and I I looked up the the camera system, which I it pops up by just going into the the the browser and typing in his port that he was using. Right? So I I get in.

I look at the page. I see what camera he's using.

I go look up default The hunt the default password to use the password.

On the Internet.

And almost everything, actually yeah.

Almost everything, the defaults are listed on the notes on the Internet.

So I used the default password. I got in, and it happened to be one of those cameras that moves. And I took control of it, and I I started scanning the area. And I'm right above him and right above the cash register.

No. And he's wearing a plaid blue plaid shirt, and I said, sir, are you wearing a blue plaid shirt? And he said, what? What are you talking about?

How did you know that? And I said, look up, and I made the camera do this.

Did this make him mad or did it help him understand that he needed to do that?

In the end, he was actually quite satisfied with his support, and he realized he needed to But we don't want the bad guys to do that.

Right? That's the whole thing is is that, the knowledge that you have and the knowledge that your team has can help people, be more secure, not get themselves into the problems that we see a lot in in small businesses.

And so, and I think that that's one of the biggest misconceptions about PCI that people have. They they think it's like you said earlier, they think it's just checkbox, and they they think it's just a big hassle that their bank is requiring from them, not understanding that these are the basics.

That if you put these basics in place, then then we have seen over and over again that this is gives you a measure of protection and security.

Yeah. You're touching on unfortunately, we get a lot of people calling in saying that this whole system is a scam. It's just a way to get more money for merchants. And, unfortunately, I I sympathize.

Yeah. I know it's difficult. And I know there's noncompliance fees, depending on which process you're going with but in the end protecting the credit card data and protecting your customers credit card. You could ruin your whole company, with a bad reputation if you get pointed out as the person who lost, you know, ten thousand credit cards, you know, Target lost, what, five million, like, eight years ago?

Yeah.

What was that? Well, which time?

Good point. Good point.

So I guess long story short is that that, we're not here to try and make merchants' lives harder or cost them more money. The the service that that we offer, you know, through through the support team, it really is, I think, valuable and can help small merchants get through this process of PCI compliance with a little bit less pain.

Yeah. We try our our best to to get them through as quickly and as as without his frustration, but it it's a it's a large document.

Well, thank you for coming and talking to me today. I I hope that that you listening at home, found something valuable. If you know a small merchant that might find some value in this conversation, please share out this, episode with them, and we'll talk to you again soon.

Thanks for watching. To watch more episodes of Security Metrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.

Get the Guide To PCI Compliance
Download
Get Started on PCI
Get Started