Too Small to Count -- Security Today

Too Small to Count

By Kim Singletary
Dec 02, 2013

Too Small to Count The biggest factor facing small businesses today is the ever-present issue of uncertainty. The items that come top of mind are usually taxes, healthcare issues or the economy, but make room for more worries about credit card processing and PCI-DSS compliance.

The PCI Security Standards Council has recently published their change highlights getting ready for PCI-DSS 3.0, indicating new sub-requirements due to the growing maturity and increased security risks in the payment security industry since PCI-DSS inception in 2006.

This industry continually expands through guidelines, education and continued qualification programs that touch every aspect of the ecosystem and providers for credit card processing including the payment processing software programs, the pin-pad terminals, the qualified security assessors, approved scanning vendors and the set of data security standards that merchants need to follow.

For those who may not be familiar with the basics of processing credit cards, it always involves four parties: the merchant, the acquiring bank which provides the processing services for the merchant, the customer and the bank that issued the card to the customer. The agreements, terms, fees and liability is set between the major card brands and these four parties. However, backlash from the constant news of breaches, albeit mostly larger entities, is starting to draw other parties into this equation. This does not look favorable for small merchants that continue to think that security and PCI-DSS compliance isn’t a concern or that they are too small to count.

The usual penalizing mechanisms for a merchant breach with card payment data as outlined by PCI-DSS and would cause the merchant to significantly increase their cost of credit-card processing. They would have to prove PCI-DSS compliance but no longer by the standards set for Level 4 merchants that allows them to provide self-assessment reporting. Annually, they would have to hire a qualified security assessor as listed and certified by the PCI Security Standards Council website and follow the requirements given for Level 1 tier merchants forever more. This cost could range from $5,000 to upwards of tens of thousands of dollars depending on the scope of the card-processing systems and network. It’s unknown how many merchants have been penalized in this manner because of a breach; and likely, we will not know since the terms and required compliance is a closed-agreement between the major card brands and the four parties. But, as maturity continues to come to this industry so does the ability to detect and alert fraudulent trends that point back to the lack of security on the part of the merchants. Do not think that as a small business your volume of transactions is too small to be able to pin-point an issue back to your organization.

Fraud is usually reported to local and state enforcement agencies, but lately, state attorney generals are getting notified. Banks bear a costly burden when they have to re-issue credit cards to their customers and are not pleased when they encounter reoccurring fraud on a single account. In Virginia, for example, a merchant was prosecuted by the state attorney general’s office, holding them accountable for the losses associated with credit card fraud. They were found not in compliance with state laws that require timely resolution and customer breach notification. Because they did not take action quickly to rectify the security situation, their customers were hit with repeating fraud, even after being issued new credit cards.

Acquiring banks and merchants have set agreements and are required to ensure PCI-DSS compliance of any new merchant that they sign on for their services. But, compliance is really only a judgment based on a point-of-time review and is not an indicator that ongoing security basics will be executed to continually protect the credit card data. For the most part, if fraud is detected, the fines and liability fall on the acquiring bank, and they must penalize the merchant that does not keep up with their security responsibilities.

It is human nature, especially if we are time constrained, budget constrained or just hesitant because we don’t understand something to think that if something is working – leave it alone! Business cannot think about their point of sale systems and online payment services this way; they need to consider these as critical services. With minimal maintenance, actions can be taken to avoid the uncertainty and minimize risk of ruin from preventable fines and possible legal actions:

Take cues from the proposed changes to PCI-DSS;
Ensure that you change default passwords;
Use strong passwords;
Plan to change passwords ever so often to prevent unauthorized access;
Ensure virus protections, patches and updates to your systems and payment applications are applied in a timely manner; and
Get help from qualified system integrators that have participated in the PCI-DSS certification program or look for approved scanning vendors that help you ensure your report for security self-assessment is accurate.

About the Author

Kim Singletary is the director of product marketing at McAfee where she is focused on how technology, mobility, data, and the Internet of Things are changing our day-to-day work environments and the ramifications of sustainable security, compliance and privacy.

ZBeta Strengthens Its Advisory Bench with New Appointment
05/05/2025
Security Trends Reshaping Enterprise Resilience Into 2027
05/05/2025
Amerant Bank Selects Omnilert AI Technology for Enhanced Video Surveillance Security
05/02/2025
Minnesota County Is Still Reaping Huge Benefits from ASAP Service
05/01/2025
Winsted Unveils Pinnacle Collection with Sliding Worksurface
04/30/2025
Everon Awarded Sourcewell Cooperative Purchasing Contract
04/30/2025
Honeywell Signs Global Distribution Agreement With Milestone Systems
04/28/2025
DSI Security Services Announces Leadership Reorganization and Strategic Growth Initiatives
04/21/2025

Featured

Body-Worn Cameras on the Rise

On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now
- Government
Fast-Forward from 1,000 B.C.E. to Today

The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now
- Access Control
Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now
- Government
Verizon’s 2025 Data Breach Investigations Report Notes Alarming Cyberattack Surge Through Third Parties

Verizon Business recently released its 2025 Data Breach Investigations Report (DBIR), which reveals a significant increase in cyberattacks. The report found that third-party involvement in breaches has doubled to 30%, and exploitation of vulnerabilities has surged by 34%, creating a concerning threat landscape for businesses globally. Read Now
- Cybersecurity
Net2 Access Control Increases Reliability at Residential Complex

Encore Atlantic Shores is a residential complex of 240 luxurious townhomes for ages 55 and over in Eastport, New York. Completed in 2011, the site boasts an 11,800 square foot clubhouse, with amenities such as a fitness center, heated indoor pool, whirlpool spa, multi-purpose ballroom, cardroom and clubroom with billiards, tennis courts and an outdoor putting green. Read Now
- Access Control

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.
EasyGate SPT SPD

Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles.
Unified VMS

AxxonSoft introduces version 2.0 of the Axxon One VMS. The new release features integrations with various physical security systems, making Axxon One a unified VMS. Other enhancements include new AI video analytics and intelligent search functions, hardened cybersecurity, usability and performance improvements, and expanded cloud capabilities