More than 800 million computer records with sensitive information have been a part of data breaches in the U.S. since 2005 (privacyrights.org). Moreover, because many small merchants have minimal security for cardholder data, over 80% of attacks target small businesses.
The PCI Security Standards Council explains that if you are at fault for a security breach, fallout can be as follows:
- Fines and penalties
- Termination of ability to accept payment cards
- Lost confidence, so customers go to other merchants
- Lost sales
- Cost of reissuing new payment cards
- Legal costs, settlements and judgments
- Fraud losses
- Higher subsequent costs of compliance
- Going out of business
As stated by the PCI Council,
“Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”
Some requirements by the PCI Security Standards Council that can enhance security are to maintain a firewall, and protect stored cardholder data:
Maintaining a firewall to protect cardholder data
Firewalls control your computer network’s traffic, allowing you to deny all traffic from untrusted networks and potentially denying criminal attacks. Identify all connections to cardholder data and configure a firewall that allows only the necessary connections.
Protecting stored cardholder data
Cardholder data should only be stored if absolutely necessary. When stored, cardholders trust the merchant to go through precautions to protect sensitive data from criminal attacks. Data storage should be limited to the time required for business purposes. Consider using truncation, index tokens, and securely stored pads to improve your security. In addition, restrict access to cardholder data to a need-to-know basis. Individuals should only be authorized to sensitive data if it is necessary information to perform a job.