Small Merchants Need to Be Alert at The Holidays

Troy Leach

Senior Vice President

PCI Security Standards Council

Ramiro Cavazos

President & CEO

U.S. Hispanic Chamber of Commerce


2019 was a pivotal year that saw data breaches on a large scale with headline grabbing stories and stunning revelations about billions of records being exposed. In fact, according to statistics by Norton, data breaches have run at a record pace in 2019.

As we head into the hectic holiday season, American businesses need to be on high alert and on guard against cyber-attacks.  Criminals do not take the holiday season off, in fact, it is often the time of the year when they are the most active.  Cyber criminals who have identified vulnerabilities in the payment system of a business, often wait until the busy holiday season to exploit it.  They are making the cold calculation that with an increase in business, many companies will let their guard down when it comes to security.  Too often, that calculation proves correct.

Adobe predicts that U.S. online sales will increase 14.1 percent, totaling $143.7 billion, while total retail spending – both online and offline – is expected to increase 4.0 percent. Cyber Monday will set a new record as the largest – and fastest – growing online shopping day of the year with $9.4 billion in sales, an 18.9 percent increase year over year (YoY). Online sales between 7 p.m. and 11 p.m. Pacific Time on Cyber Monday are expected to drive over $3B in revenue, with sales conversions nearly doubling during these golden hours of online retail.

Thanksgiving Day sales are expected to increase by 19.5 percent, generating $4.4 billion. One out of five dollars this holiday season will be spent during Cyber Week between Thanksgiving Day and Cyber Monday, generating $29 billion or 20 percent of total online revenue this season. With just 22 days between Cyber Monday and Christmas Day, there are six fewer days of peak holiday shopping days than 2018, translating into almost $1 billion of potential revenue lost due to the abridged time period. The compressed shopping calendar means that retailers will begin sales earlier than ever before, with each day in November and December surpassing $1 billion in online retail sales for the first time.

Many merchants find the holiday season overwhelming – stores are busier than normal, online sales spike through the roof, and the hustle and bustle of the holidays can put the issue of payment security on the backburner.  This is the time of year when some businesses put off patching, fail to monitor remote access security protocols, and punt payment security issues until next year.  As we have seen too often, businesses who do not prioritize payment security, end up being breached.

So what should companies do during the holiday season to better protect themselves against the daily attacks against their payment systems?  The PCI Security Standards Council suggests the following tips for merchants this holiday season:

  • Be alert – Be on notice that attacks could happen.  Too many small businesses do not even think of themselves as being a potential target.  Today, businesses of all sizes need to take payment security seriously.  The attacks are automated and do not discriminate on the size of the organization. Small merchants are particularly vulnerable.
  • Passwords – Make sure you eliminate all default passwords and use password of good length and complexity.  Weak passwords are one of the leading causes of data breaches.  This is one of the easier things to fix.  Don’t let the criminals have easy access to your payment systems because of something as simple as a poor password.
  • Patching – This has made headlines in recent years with several data compromises as a result of not updating to the newest version of software.  Stay up-to-date on the latest patches that are available for known vulnerabilities.  Do not put off patching until after the holiday season.  If you have a vulnerability, after the holidays will be too late.  The criminals are counting on you to put this off until next year, make it a priority now.
  • Remote Access – Pay particular attention to third party access to your payment data system, the privilege level of that access and removing access when no longer needed. This requires monitoring and vigilance.
  • Inspect Payment Devices Regularly – For in-restaurant payment devices, have employees inspect point-of-sale payment terminals every day as skimming devices could be added in the matter of seconds.  A good practice is to inspect the terminals at the beginning and ending of each shift.  Enlist the help of your employees who are the front line of defense against point-of-sale terminal tampering.    
  • Train your temporary employees – The busy holiday season is a time when many employers hire additional, temporary staff.  Make sure your temporary workers are well trained on good payment security practices and are on guard for fraudsters during this hectic season.

As we head into the holiday shopping season, it is important for American businesses to prioritize strong security principles by maintaining a multi-layer security approach that involves people, process and technology working together to protect consumers.  The holiday season is usually the most profitable time of the year for small merchants, don’t let a data breach ruin your holidays.     

For more information about how businesses can better safeguard against cyber-attacks, please visit:


Stay Informed

Sign up to receive updates from USHCC.