You Aren’t Immune to Hackers… PCI Compliance is Critical!

PCI ComplianceAs I was flipping through my daily copy of the Wall Street Journal, I came across an article that’s becoming all to familiar – “Hackers New Target: Small Firms With Lax Security.” Accompanying the photo of a sullen shop owner was the article that outlined how he was stuck with a $22,000 bill because cyber thieves planted a software program on the cash registers at his two Chicago-area magazine shops that sent customer credit-card numbers to Russia.

If you don’t have time to read the full article, here’s a short excerpt:

MasterCard Inc. demanded an investigation, at Mr. Angelastri’s expense, and the whole ordeal left him out about $22,000. His experience highlights a growing threat to small businesses. Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers’ main target.

“Who would want to break into us?” asked Mr. Angelastri, who says the breach cut his annual profit in half. “We’re not running a bank.”

With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc. estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.

Hacking at small businesses “is a prolific problem,” says Dean Kinsman, a special agent in the Federal Bureau of Investigation’s cyber division, which has more than 400 active investigations into these crimes. “It’s going to get much worse before it gets better.”

Hackers are expanding their sites beyond big companies to include any business that stores data in electronic form. For small businesses, the impact could be crippling. Geoffrey Fowler reports for the Wall Street Journal.

In the time it takes to break into a major company like Citigroup Inc., a hacker could steal data from dozens of small businesses and not get detected, says Bryce Case Jr., a former hacker who broke into several government and corporate websites a decade ago and now runs an online message board for hackers called Digital Gangster. Now that small companies use computers, “the juice has become worth the squeeze,” he says. “Even a pizza place has addresses, names and credit-card information.”

Listen to the Wall Street Journal Audio Report
Find out how your business could be vulnerable by listening to a short report on this cyber hacking incident. Click play:


PCI Compliance is Critical
According to the article, Mr. Angelastri is still paying off the $22,000 bill. Because the potential for theft is higher than ever before, PCI Compliance is not only critical…but mandatory. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.

PCI DSS requirements state that you must select an approved scan vendor to scan any public IP address that connects to or can indirectly connect to the cardholder data environment. The cardholder data environment is that part of a network that possesses cardholder data or sensitive authentication data, including network components, servers and applications. For most merchants, this means your website and your office Internet connection. However, more devices may need to be scanned as well.

This is not something that is optional or to be taken lightly!

In fact, proof of PCI compliance is required of all merchants who accept credit cards. Fines and deadlines for non-compliance vary depending on the acquiring bank and credit card companies you accept.

How Can Best Merchant Rates Help You Become PCI Compliant?
All merchants account holders through Best Merchant Rates are enrolled in our PCI Compliance Program through SecurityMetrics. For all new account, there is an annual fee charged to your account after your first quarter of processing transactions, and it is renewed on a yearly basis. We partner directly with SecurityMetrics to provide the following safeguards:

  • 12-month service
  • PCI approved external vulnerability scanning
  • Online PCI Self-Assessment Questionnaire (SAQ)
  • Scans performed automatically each quarter
  • Unlimited rescanning
  • Unlimited calls to customer/technical support
  • Use of Site Certified logo
  • Acquirer reporting

Although PCI Compliance can be a confusing process, we do our best to ensure that you are well-informed along the way. This is a critical step for every small business owner, and that’s why it’s so important to Best Merchant Rates.