When a data breach hits the headlines it’s usually because a large corporation has been hacked, with millions of customers compromised and huge amounts of money involved. With so much of the media focus being on data breaches and big business, small merchants could be forgiven for thinking that they are less at risk than larger companies.
In reality however, this assumption couldn’t be further from the truth. In fact, according to the PCI Security Standards Council, 71% of hackers actually choose to attack small businesses (merchants with under 100 employees), while 60% of small businesses are reported as having experienced a cyber breach.
Whether it’s due to the expectation of fewer – or less efficient – security measures or the fact that the stakes are not as high, attacking a small merchant is a lower risk for a hacker. If your small business should experience a breach however, the risk to your company is much higher.
What are the Risks and Potential Penalties?
If the worst happens and your business suffers a security breach, and you’re found to be non-compliant with the requirements of the Payment Card Industry Data Security Standards (PCI DSS), the consequences can range from a loss of customer confidence to financial penalties and costly lawsuits. You may even lose the right to take card payments entirely.
Currently, the average cost of a security breach for a small business is estimated at $20,752, and with the launch of the new General Data Protection Regulation next year, this cost will only increase further. Under these new regulations, businesses can be liable to pay fees of up to €20m or 4% of their annual turnover – whichever is higher.
On top of the financial implications is the risk of brand reputation damage. Security is a huge buzzword at the moment and with so many stories about breaches and hacking in the news, customers are becoming increasingly savvy about who they can and cannot trust with their personal data.
Could your business survive the impact of losing consumer trust and credibility?
How Can You Protect Your Small Business and Its Customers?
If you’re unfamiliar with the PCI DSS, compliance can feel like a bit of a minefield. Your best bet is to get a bit more acquainted with the basics…
You can read our Beginner’s Guide to PCI DSS Compliance or check out our PCI Glossary for more information. After that, it’s a good idea to work out which Merchant Level your business falls into – this will give you a better idea of what sort of compliance you’ll need to be able to demonstrate.
Even when you don’t have to, adhering to more stringent compliance regulations as much as you possibly can is always the best way of staying safe.
Here are just a few of the simple changes you can make to your business to lower your risks:
- Simplify your system – Even if you only have a relatively uncomplicated payment system in place, there are always changes that can be made to tighten up your security. Try to limit access points to data, especially remote access, and limit the number of personnel with access clearance. It’s also important to assess whether you need to be storing as much data, and for as much time, as you currently are. If not, reducing both the amount of data you store and the amount of time you store it for can significantly lower your risk of a breach.
- Be tech savvy – Understand your payment system as much as possible and keep on top of new anti-virus, encryption, and DTMF masking software that can make your systems even more secure. Try to develop a complete diagram of your system and its data flow so you can see exactly where and when data might be compromised. It’s also crucial to understand the importance of strong passwords (and to change default passwords!) – 80% of breaches occur because a hacker has managed to steal or guess an employee’s password.
- Know your partners – If you work with third party partners or service providers, make sure to quiz them on their own security and compliance. For many small businesses, choosing the right partners can often take care of compliance almost completely, so make sure you know who you’re working with. For example, PCI Pal is Level 1 certified and already compliant with PCI DSS 3.2, which won’t come into effect until 2018 (we just like to be ahead of the game!).
- Test, Test, Test – Many organisations treat compliance as a one-off exam that needs to be passed every year, but the most secure systems are the ones that are tested all the time. Regular vulnerability testing will allow you to identify and fix any problems as soon as they arise, leaving your system stronger and safer. Keeping on top of your compliance requirements and documentation will also make your annual assessment much less of a headache! Yes, it may be a little more costly on the surface, but when the risks are so high, we can’t help but think it’s worth it.
If you’d like to discuss a cost-effective secure payment solution for your small business, please get in touch with our expert consultants today.