Embed Size (px)
DESCRIPTION
Cyber criminals are shifting their focus to target smaller businesses that accept credit card payments, which means your business could be next. With 60% of small businesses going under within 6 months of being breached, the cyber security and PCI compliance of your business should be one of your top priorities. - See more at: http://fitsmallbusiness.com/pci-compliance-for-small-businesses/#sthash.ex1SwoaB.dpuf
Citation preview
Protect Your Business From
PCI Compliance:
Credit Card criminals
Why is cyber security importantFor Your Small Business
In great numbers where security is weaker. 60% of small businesses that suffer a data breach are out of business 6 months later. A recent survey by Fortinet found nearly two-thirds of consumers held merchants responsible for data breaches.
Cybercriminals are now targeting smaller businesses
A basic overview
Small-business cyber security expert and president of Mako Networks’ U.S. branch. He began with three comments:
To help understand these issues we spoke with Simon Gamble,
Any small business that accepts credit cards is a potential target for a cyber security breach.
1)
Small businesses are held
to the same level of credit card security standards (discussed later in this presentation) as large businesses such as Target or Home Depot.
2)
Any small business that suffers a cyber security breach and is found to be non-compliant to credit card security standards, is fully liable for charges related to the breach.
3)
You Could Be a TargertIf you are a small business who accepts credit cards, then you are vulnerable to a cyber attack. Cyber attackers are targeting small businesses more and more, because their networks are easier to hack and they are not as regularly checked for compliance to credit card security standards.
PCI Compliance (Credit Card Security Standards)
The PCI DSS is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
If you accept credit cards, then you have agreed to abide by the PCI DSS(Payment Card Industry Data Security Standard)
If your small business is suspected of a security breach, PCI DSS inspectors come in and try to determine if there is a breach and how it occurred. This process in and of itself can be crippling for a small business, shutting down operations for a minimum of several days and costing between $8,000 – $20,000 in inspection fees.
Security Breaches, Liability, and Other Consequences
1. Data Security Fine – Up to $500,000 fine per security breach incident. 2. Non-Compliance Fines – Up to $50,000 per day for non-compliance with published standards.
If your business is found to be non-compilant, you are held liable for more charges:
3. Card Replacement Fees – $3-$10 per card x total number of cards compromised. 4. Refund Fees – Potentially held liable for all fraud losses incurred from compromised account numbers.
If your business is found to be non-compilant, you are held liable for more charges:
How To Be PCI DSS Compliantand Protect your Business
from Cyber Threats
The key is to make sure your business is PCI DSS compliant. Why? First, PCI compliant businesses rarely, if ever, have been successfully hacked. Second, if your business is sucessfully hacked, you are not liable for any fines or charges. !Here’s how to make your business PCI DSS compliant.
Know the Requirements for PCI DSS ComplianceYou need to know what you have signed up for and what is required for your business to be compliant. If you don’t, you won’t know what steps you need to take in order to secure your business.
There are two main ways to make your business more secure and PCI DSS compliant 1. Hire a PCI DSS Qualified Security
Assessor (QSA) 2. Do-It-Yourself
PCI Compliance is more than Transaction ComplianceMany businesses purchase a PCI DSS compliant POS system and think that they are compliant. In reality, this kind of compliance relates only to credit card transactions and not to your business environment/network, which must also be PCI compliant.
Compliance AreasA detailed list of all compliance areas can be found here. Remember to follow the PCI Standard: !
1. Assess 2. Remediate 3. Report !Learn more about PCI standards here.
Take The Necessary PCI Compliance Steps
PCI SSC certified QSA’s are organizations who have been qualified by the PCI Council to assess compliance to PCI DSS standards. Hiring a QSA will save you the time it would take to do the research yourself and will also give you peace of mind that the job was done right.
Hiring a PCI DSS QSA
You have to pay the QSA fees, which are generally quite expensive. One quote I checked on, charged a base $5,000 fee plus $200 for every hour. On top of that, you have to pay for the equipment/software to fix whatever problems the QSA finds, which is also costly.
The big downside to hiring a QSA, is cost.
Here is a list of PCI certified QSA companiesHere is a guide about what to look for in a PCI DSS QSA
Do-It-Yourself
1. Educate Yourself. 2. Secure your Payment Network. 3.Use a Security Software that Tests for Vulnerabilities. 4. Fill out and turn in your PCI DSS Self-Assessment Questionnaire
Here is How to do It
Here is the link again for the quick reference PCI DSS compliance guide. Although it is a bit rough to get through, it is only 33 pages and is important to read if you plan on monitoring PCI DSS compliance for yourself.
Educate Yourself
There are 3 main recommended action steps every small business can take to make their network more secure and compliant:
Secure your Payment Network
1. Install a Proper FirewallA proper firewall protects hackers from stealing information from your business. We recommend Mako Networks, which offers a secure and PCI DSS compliant payment network, complete with firewall, starting at around $80/month. Check out their distributor list to find a reseller near you.
2. Have a separate network for payment servicesSeparating your payment network from your other business networks means hackers cannot access sensitive card data from anywhere in your general business network.
3. Change Usernames and Passwords every 90 days or soMake sure you change default usernames and passwords as soon as you can, because they are rarely secure. Then, change usernames and passwords every 90 days. Here is a general guide to changing your wireless network password.
There are various software options available that test your network and payment terminals for breach vulnerability and PCI security compliance. Check with your payment processor first, some offer free PCI DSS testing. If you not, we recommend Control Scan Inc’s PCI 1-2-3.
Use Security Software that tests for Vulnerabilities
To be PCI compliant, small businesses are required to fill out an annual PCI DSS Self-Assessment sheet. This sheet is a DYS checklist to determine compliance. !Instructions and the link to complete this self-assessment questionnaire can be found on PCI’s self assessment forms page.
Fill Out Your PCI DSS Self-Assessment Sheet
What to Do if You Suspect You Have Been Breached
!1. Report the Breach to Your Payment Processor/Merchant Bank
2. Check State Disclosure Regulations and Alert Local Law Enforcement
3. Comply Fully with any PCI DSS Audit.
A comprehensive guide to determining and dealing with a possible breach is available on Visa’s website.
If you suspect a breach, here is what you need to do:
1. Report the BreachIf you suspect a breach, contact your payment processor or merchant bank and let them know that a possible security breach has been detected. They will then go over protocol and determine what should be done.
2. Check State Disclosure RegulationsCheck your state’s regulations to see who you are supposed to inform. In most cases, you must let customers know that there has been a possible security breach, usually in writing. !Generally, you also should alert your local law enforcement agency.
3. Comply Fully with any PCI DSS AuditYour payment processor or their bank normally initiates a PCI DSS Audit. If you are notified of an upcoming audit, gather all of your information related to PCI Compliance an have it ready for the inspectors when they arrive.
CONCLUSION
If you follow this guide and take the necessary steps, your business will be more secure than many other small businesses out there and will be prepared should a cyber attack actually take place.
The cyber security and PCI DSS compliance status of your small business is an important issue.
Click here to tweet this presentation.
Join The Community:
www.FitSmallBusiness.com
See the full article here
