Payment Security Guidance for Small Merchants: How to Protect Your Business

By: Lance Johnson, Executive Director, PCI Security Standards Council & Ramiro A. Cavazos, President & CEO, USHCC

In the past several years, it has been widely reported that Latino business owners are achieving tremendous success and making significant contributions to the U.S. economy. According to research by the United States Hispanic Chamber of Commerce (USHCC), Latino-owned businesses contribute an estimated $700 billion annually to the U.S. economy. A study conducted by Stanford’s Latino Entrepreneurship Initiative shows that the growth rate in the number of Hispanic-owned businesses has soared above the national average for all businesses. In fact, Latino-owned companies have grown 31.6 percent since 2012, more than double the growth rate of all other businesses in America.

This trend is likely to continue for the foreseeable future. An estimated 55 million Latinos currently live in the United States, and that number is projected to more than double to an estimated 120 million by 2060. The projected growth for Latino-owned businesses is enormous in the decades to come.

As Latino-owned businesses continue to grow and expand, they, like other merchants, will increasingly become the target of cyber-attacks. The number of cyber criminals is growing throughout the world and they are not just targeting major corporations. While this is a global problem, the United States has the most reported data breaches of any country and by a wide margin. We are fortunate to live in a country with a thriving and vibrant economy where businesses and consumers engage in trillions of dollars of transactions every year. Our economic success makes us a prime target for cyber criminals who work around the clock to attempt to steal valuable information.

American companies and consumers find themselves under attack every day. According to a study by Small Business Trends, forty-three percent of cyber attacks target small businesses. This can have devastating consequences. Getting data security right can literally be the difference between success or failure for merchants today.

While there is no one type of attack, many of the threats to payment security specifically are caused by simple attacks that can be easily prevented by simple fixes. These simple fixes, while considered common sense to those in the payment security world, are not as well understood by the general public. A simple (but real) example is to not use the word “password” as your password. That might seem obvious, but “password” and slight variations (password1) are consistently found to be among the most common passwords on private systems.

Smaller merchants are especially challenged. They do not have large IT teams or budgets for cybersecurity. Many small merchants feel that they are on their own when protecting themselves from cybercrime. Not surprisingly, criminals see small merchants as prime targets as demonstrated by the increase in attacks on them.

The good news is we know where most small merchants are vulnerable and how to better improve their security. According to a Verizon report on data breaches, the overwhelming majority of breaches against businesses are the result of three primary failures: weak passwords, poor patching and remote access. These common problems all have simple solutions that can be used by small merchants and their business partners.

The PCI Security Standards Council continues to work with the business community to develop guidance and recommendations to specifically help smaller merchants. These helpful tips simplify payment security and provide specifics on how to significantly reduce risk. These recommendations include:

Passwords – According to the Verizon report, 81% of hacking related breaches leveraged either stolen and/or weak passwords. This is a fairly simple fix – it is critical for merchants to always change default passwords to strong passwords (difficult to guess) and update them on a regular basis.

Read More

Patching – Software vendors issue patches to fix known vulnerabilities. As a merchant, you must install these patches to prevent criminals from hacking into your system using those vulnerabilities. Identify which third party vendors send you patches and install them as soon as possible. Waiting dramatically increases your risk. Hackers up their game when a patch is issued and it is often a race against time as they pursue businesses that are slow to install the patch.

Watch A Video

Read More

Remote Access – Point-of-sale (POS) vendors offer remote access to support merchant payment systems without visiting the business location. But remote access can allow anyone with the proper credentials to access your system. Know who has access to your systems and limit the use of remote access. Make sure all third parties have strong, secure credentials.

Watch A Video

Read More

By addressing these three critical areas, Latino merchants can better protect themselves and reduce their risks of attacks on their payment systems.

Stay Informed

Sign up to receive updates from USHCC.