Too Small to Count

  • By Kim Singletary
  • Dec 02, 2013

Too Small to CountThe biggest factor facing small businesses today is the ever-present issue of uncertainty. The items that come top of mind are usually taxes, healthcare issues or the economy, but make room for more worries about credit card processing and PCI-DSS compliance.

The PCI Security Standards Council has recently published their change highlights getting ready for PCI-DSS 3.0, indicating new sub-requirements due to the growing maturity and increased security risks in the payment security industry since PCI-DSS inception in 2006.

This industry continually expands through guidelines, education and continued qualification programs that touch every aspect of the ecosystem and providers for credit card processing including the payment processing software programs, the pin-pad terminals, the qualified security assessors, approved scanning vendors and the set of data security standards that merchants need to follow.

For those who may not be familiar with the basics of processing credit cards, it always involves four parties: the merchant, the acquiring bank which provides the processing services for the merchant, the customer and the bank that issued the card to the customer. The agreements, terms, fees and liability is set between the major card brands and these four parties. However, backlash from the constant news of breaches, albeit mostly larger entities, is starting to draw other parties into this equation. This does not look favorable for small merchants that continue to think that security and PCI-DSS compliance isn’t a concern or that they are too small to count.

The usual penalizing mechanisms for a merchant breach with card payment data as outlined by PCI-DSS and would cause the merchant to significantly increase their cost of credit-card processing. They would have to prove PCI-DSS compliance but no longer by the standards set for Level 4 merchants that allows them to provide self-assessment reporting. Annually, they would have to hire a qualified security assessor as listed and certified by the PCI Security Standards Council website and follow the requirements given for Level 1 tier merchants forever more. This cost could range from $5,000 to upwards of tens of thousands of dollars depending on the scope of the card-processing systems and network. It’s unknown how many merchants have been penalized in this manner because of a breach; and likely, we will not know since the terms and required compliance is a closed-agreement between the major card brands and the four parties. But, as maturity continues to come to this industry so does the ability to detect and alert fraudulent trends that point back to the lack of security on the part of the merchants. Do not think that as a small business your volume of transactions is too small to be able to pin-point an issue back to your organization.

Fraud is usually reported to local and state enforcement agencies, but lately, state attorney generals are getting notified. Banks bear a costly burden when they have to re-issue credit cards to their customers and are not pleased when they encounter reoccurring fraud on a single account. In Virginia, for example, a merchant was prosecuted by the state attorney general’s office, holding them accountable for the losses associated with credit card fraud. They were found not in compliance with state laws that require timely resolution and customer breach notification. Because they did not take action quickly to rectify the security situation, their customers were hit with repeating fraud, even after being issued new credit cards.

Acquiring banks and merchants have set agreements and are required to ensure PCI-DSS compliance of any new merchant that they sign on for their services. But, compliance is really only a judgment based on a point-of-time review and is not an indicator that ongoing security basics will be executed to continually protect the credit card data. For the most part, if fraud is detected, the fines and liability fall on the acquiring bank, and they must penalize the merchant that does not keep up with their security responsibilities.

It is human nature, especially if we are time constrained, budget constrained or just hesitant because we don’t understand something to think that if something is working – leave it alone!  Business cannot think about their point of sale systems and online payment services this way; they need to consider these as critical services. With minimal maintenance, actions can be taken to avoid the uncertainty and minimize risk of ruin from preventable fines and possible legal actions:

  • Take cues from the proposed changes to PCI-DSS;
  • Ensure that you change default passwords;
  • Use strong passwords;
  • Plan to change passwords ever so often to prevent unauthorized access;
  • Ensure virus protections, patches and updates to your systems and payment applications are applied in a timely manner; and  
  • Get help from qualified system integrators that have participated in the PCI-DSS certification program or look for approved scanning vendors that help you ensure your report for security self-assessment is accurate.

About the Author

Kim Singletary is the director of product marketing at McAfee where she is focused on how technology, mobility, data, and the Internet of Things are changing our day-to-day work environments and the ramifications of sustainable security, compliance and privacy.

Featured

  • Security Today Announces 2025 CyberSecured Award Winners

    Security Today is pleased to announce the 2025 CyberSecured Awards winners. Sixteen companies are being recognized this year for their network products and other cybersecurity initiatives that secure our world today. Read Now

  • Empowering and Securing a Mobile Workforce

    What happens when technology lets you work anywhere – but exposes you to security threats everywhere? This is the reality of modern work. No longer tethered to desks, work happens everywhere – in the office, from home, on the road, and in countless locations in between. Read Now

  • TSA Introduces New $45 Fee Option for Travelers Without REAL ID Starting February 1

    The Transportation Security Administration (TSA) announced today that it will refer all passengers who do not present an acceptable form of ID and still want to fly an option to pay a $45 fee to use a modernized alternative identity verification system, TSA Confirm.ID, to establish identity at security checkpoints beginning on February 1, 2026. Read Now

  • The Evolution of IP Camera Intelligence

    As the 30th anniversary of the IP camera approaches in 2026, it is worth reflecting on how far we have come. The first network camera, launched in 1996, delivered one frame every 17 seconds—not impressive by today’s standards, but groundbreaking at the time. It did something that no analog system could: transmit video over a standard IP network. Read Now

  • From Surveillance to Intelligence

    Years ago, it would have been significantly more expensive to run an analytic like that — requiring a custom-built solution with burdensome infrastructure demands — but modern edge devices have made it accessible to everyone. It also saves time, which is a critical factor if a missing child is involved. Video compression technology has played a critical role as well. Over the years, significant advancements have been made in video coding standards — including H.263, MPEG formats, and H.264—alongside compression optimization technologies developed by IP video manufacturers to improve efficiency without sacrificing quality. The open-source AV1 codec developed by the Alliance for Open Media—a consortium including Google, Netflix, Microsoft, Amazon and others — is already the preferred decoder for cloud-based applications, and is quickly becoming the standard for video compression of all types. Read Now

Most   Popular

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.