Help From Your Friends

Many small businesses desperate for PCI compliance assistance

Identity theft and credit card fraud are the fastest growing crimes in the United States. The Federal Trade Commission reports that one in six Americans will be a victim of identity theft this year and that identity theft has been the No. 1 consumer complaint for the last four years.

Banks and credit card companies are responding quickly and aggressively to the challenge. In 2004, many companies banded together to form the Payment Card Industry Security Standards Council, aligned policies and released the Payment Card Industry Data Security Standard. This document set out a list of requirements that must be met by all vendors who accept credit card transactions. PCI DSS also included various deadlines for compliance based on transaction levels.

All merchants must eventually adopt these standards if they want to continue accepting credit card payments. To date, most of the industry’s efforts have focused on larger merchants. In fact, in October 2007, Visa reported that 65 percent of the nation’s largest retailers are now compliant with the industry standards.

However, any good security expert will tell you that you’re only as strong as your weakest link. PCI SSC knows this and is beginning to turn its attention to smaller retailers. Since 2005, more than 80 percent of the instances of unauthorized access to card data have involved small merchants. Visa also reports that these small businesses account for 85 percent of the 7 million locations nationwide that accept credit cards.

The Root of the Problem
Small merchants do not have the technical resources of larger retailers. While most large retailers regularly upgrade their computer systems, small merchants typically stick with one type of software and are reluctant to change or update.

The complex process of PCI compliance can be quite daunting to small and mediumsized merchants. When Tim Haight, owner of Merrill Ace Hardware of Merrill, Wis., first received notice of the PCI deadlines in a cooperative newsletter, he panicked.

“I realize the importance of this issue, and our company has already taken many steps to protect our customer data,” Haight said. “But I found the new requirements and standards to be overwhelming and confusing. I don’t have an IT staff to help me with our computer network and systems. Like most small business owners, I am the marketing department, IT department, sales department and customer service ... all rolled into one.”

Achieving Compliance
At that point, Haight enlisted the services of Activant Solutions. Merrill Ace Hardware has been using Activant Eagle® software to manage customer orders, handle point-ofsale operations and control inventory levels for four years. Haight asked Activant to help him address the technical portion of Ace’s PCI compliance survey. Technicians advised Haight regarding the Ace survey and conducted their own PCI compliance survey.

The PCI compliance security standards are technical and operational requirements that were created to help organizations that process credit card payments prevent credit card fraud, hacking and various other security vulnerabilities and threats. Merrill Ace Hardware uses Watchdog ISS services to protect its network from outside attacks, which provides a business-class level of security and protection for small to mediumsized merchants. Most of these businesses do not have a dedicated IT person or the expertise to protect the business from all the new threats that exist today.

Watchdog is a managed security solution designed for the small business owner. Each installation begins with a thorough analysis of a merchant’s network operations to determine the specific security measures appropriate for that business.

Watchdog deploys the latest technologies available to provide anti-intrusion services, virus and spyware protection, Web content filtering and a continuously monitored and updated firewall. Requirement No. 1 of the PCI DSS is install and maintain a firewall configuration to protect cardholder data.

Watchdog comes equipped with an antivirus suite that updates its definitions automatically. Requirement No. 5 of the PCI DSS mandates the use and regular updating of antivirus software. Because of the enforced antivirus protection, all networked computers share the same protection—eliminating concerns about which computers are protected with the latest virus updates.

Installers activated an antivirus and spyware client on each PC and laptop, which is different from consumer versions of this software. This is enforced protection—even if an end user figures out how to uninstall it, it will not let him access the Internet until it automatically reinstalls the antivirus and spyware protection. If a Watchdog-protected laptop is used for business travel, the system will automatically update its protection upon reconnection.

“As a small business owner, it’s a relief to have a technology partner who can come in and use their knowledge and experience to help me solve complex issues such as this one,” Haight said. “PCI compliance is a long and complicated process, but it is encouraging to know that my technology is sound and that my technology partner is helping me meet PCI DSS requirements.”

This article originally appeared in the March 2009 issue of Security Today.

  • Environmental Protection
  • Occupational Health & Safety
  • Infrastructure Solutions Group
  • Spaces4Learning
  • Campus Security & Life Safety