Cyber criminals are shifting their focus to target smaller businesses that accept credit card payments, which means your business could be next. With 60% of small businesses going under within 6 months of being breached, the cyber security and PCI compliance of your business should be one of your top priorities. - See more at: http://fitsmallbusiness.com/pci-compliance-for-small-businesses/#sthash.ex1SwoaB.dpuf
2. Why is cyber security important
For Your Small Business
3. Cybercriminals are
now targeting
smaller businesses
In great numbers where security is weaker.
60% of small businesses that suffer a data
breach are out of business 6 months later.
A recent survey by Fortinet found
nearly two-thirds of consumers
held merchants responsible
for data breaches.
5. To help understand
these issues we spoke
with Simon Gamble,
Small-business cyber
security expert and president
of Mako Networks’ U.S. branch.
He began with three comments:
6. 1)
Any small business that
accepts credit cards is a
potential target for a
cyber security breach.
7. 2)
Small businesses are held
to the same level of credit
card security standards
(discussed later in this
presentation) as large
businesses such as Target or
Home Depot.
8. 3)
Any small business that
suffers a cyber security
breach and is found to be
non-compliant to credit card
security standards, is fully liable for
charges related to the breach.
9. You Could Be a Targert
If you are a small business who accepts credit cards, then you are vulnerable
to a cyber attack. Cyber attackers are targeting small businesses more and
more, because their networks are easier to hack and they are not as regularly
checked for compliance to credit card security standards.
11. If you accept credit cards,
then you have agreed to
abide by the PCI DSS
(Payment Card Industry Data
Security Standard)
The PCI DSS is a set of requirements
designed to ensure that all companies
that process, store, or transmit credit
card information maintain a secure
environment.
12. Security Breaches,
Liability, and Other
Consequences
If your small business is suspected of a
security breach, PCI DSS inspectors
come in and try to determine if there is a
breach and how it occurred. This
process in and of itself can be crippling
for a small business, shutting down
operations for a minimum of several
days and costing between $8,000 –
$20,000 in inspection fees.
13. If your business is found to be
non-compilant, you are held
liable for more charges:
1. Data Security Fine – Up to
$500,000 fine per security breach
incident.
2. Non-Compliance Fines – Up
to $50,000 per day for non-compliance
with published
standards.
14. If your business is found to be
non-compilant, you are held
liable for more charges:
3. Card Replacement Fees – $3-
$10 per card x total number of
cards compromised.
4. Refund Fees – Potentially held
liable for all fraud losses incurred
from compromised account
numbers.
15. How To Be PCI DSS Compliant
and Protect your Business
from Cyber Threats
16. The key is to make
sure your business is
PCI DSS compliant.
Why? First, PCI compliant businesses rarely,
if ever, have been successfully hacked.
Second, if your business is sucessfully
hacked, you are not liable for any fines or
charges.
!
Here’s how to make your business PCI DSS
compliant.
17. Know the Requirements for
PCI DSS Compliance
You need to know what you have
signed up for and what is required
for your business to be compliant. If
you don’t, you won’t know what
steps you need to take in order to
secure your business.
18. There are two
main ways to make your
business more secure
and PCI DSS compliant
1. Hire a PCI DSS Qualified Security
Assessor (QSA)
2. Do-It-Yourself
19. PCI Compliance is more than
Transaction Compliance
Many businesses purchase a PCI DSS
compliant POS system and think that
they are compliant. In reality, this kind
of compliance relates only to credit
card transactions and not to your
business environment/network,
which must also be
PCI compliant.
20. Compliance Areas
A detailed list of all compliance areas
can be found here. Remember to
follow the PCI Standard:
!
1. Assess
2. Remediate
3. Report
!
Learn more about PCI standards here.
22. Hiring a PCI DSS QSA
PCI SSC certified QSA’s are
organizations who have been
qualified by the PCI Council to
assess compliance to PCI DSS
standards. Hiring a QSA will
save you the time it would take
to do the research yourself
and will also give you peace
of mind that the job
was done right.
23. The big downside to
hiring a QSA, is cost.
You have to pay the QSA fees, which are
generally quite expensive. One quote I
checked on, charged a base $5,000 fee
plus $200 for every hour. On top of that,
you have to pay for the equipment/software
to fix whatever problems the QSA finds,
which is also costly.
Here is a list of PCI certified QSA companies
Here is a guide about what to look for in a PCI DSS QSA
24. Do-It-Yourself
Here is How to do It
1. Educate Yourself.
2. Secure your Payment Network.
3.Use a Security Software that Tests for
Vulnerabilities.
4. Fill out and turn in your PCI DSS Self-
Assessment Questionnaire
25. Educate Yourself
Here is the link again for the quick
reference PCI DSS compliance
guide. Although it is a bit rough to
get through, it is only 33 pages
and is important to read if you
plan on monitoring PCI DSS
compliance for yourself.
26. Secure your
Payment Network
There are 3 main
recommended action steps
every small business can
take to make their network
more secure and
compliant:
27. 1. Install a Proper Firewall
A proper firewall protects hackers from stealing information from
your business. We recommend Mako Networks, which offers a secure
and PCI DSS compliant payment network, complete with firewall,
starting at around $80/month. Check out their distributor list to find
a reseller near you.
28. 2. Have a separate
network for payment
services
Separating your payment network from your other business
networks means hackers cannot access sensitive card data from
anywhere in your general business network.
29. 3. Change Usernames and Passwords every
90 days or so
Make sure you change default usernames and passwords as soon
as you can, because they are rarely secure. Then, change
usernames and passwords every 90 days. Here is a general guide
to changing your wireless network password.
30. Use Security Software that
tests for Vulnerabilities
There are various software options
available that test your network and
payment terminals for breach
vulnerability and PCI security
compliance. Check with your payment
processor first, some offer free PCI
DSS testing. If you not, we recommend
Control Scan Inc’s PCI 1-2-3.
31. Fill Out Your PCI DSS Self-
Assessment Sheet
To be PCI compliant, small businesses are
required to fill out an annual PCI DSS Self-
Assessment sheet. This sheet is a DYS
checklist to determine compliance.
!
Instructions and the link to complete this
self-assessment questionnaire can be found
on PCI’s self assessment forms page.
32. What to Do if You Suspect
You Have Been Breached
33. If you suspect a breach, here
is what you need to do:
!
1. Report the Breach to Your Payment
Processor/Merchant Bank
2. Check State Disclosure Regulations and
Alert Local Law Enforcement
3. Comply Fully with any PCI DSS Audit.
A comprehensive guide to determining and dealing with a possible
breach is available on Visa’s website.
34. 1. Report the Breach
If you suspect a breach, contact
your payment processor or
merchant bank and let them know
that a possible security breach
has been detected. They will then
go over protocol and determine
what should be done.
35. 2. Check State
Disclosure Regulations
Check your state’s regulations to see who
you are supposed to inform. In most
cases, you must let customers know
that there has been a possible
security breach, usually in writing.
!
Generally, you also should alert your
local law enforcement agency.
36. 3. Comply Fully with any
PCI DSS Audit
Your payment processor or their
bank normally initiates a PCI DSS
Audit. If you are notified of an
upcoming audit, gather all of
your information related to PCI
Compliance an have it ready for
the inspectors when they arrive.
37. CONCLUSION
The cyber security and PCI DSS compliance status
of your small business is an important issue.
If you follow this guide and take the necessary steps, your business
will be more secure than many other small businesses out there and
will be prepared should a cyber attack actually take place.
38. Join The Community:
www.FitSmallBusiness.com
Click here to tweet this
presentation.
See the full article here