In honor of the Black Friday bonanza, Dark Reading recently sat down to talk about SMB PCI pitfalls with the experts who help drive the evolution of the regulatory standard at the PCI Security Standards Council -- Bob Russo, general manager for the council, and Troy Leach, CTO for the group. Russo says that first and foremost, SMBs have to recognize that just because they're small doesn't mean they necessarily have a small amount of risk. For example, some merchants -- especially online -- may only push through small transactions, but at extremely high volumes.
[Learn the fundamentals behind a more secure e-tailing environment. See 10 Ways To Secure Web Data.]
"SMB is kind of a misnomer," Russo says. "It's kind of a catch-all for anyone who's not a Level One merchant."
But some small-staff SMBs may well be pushing into larger merchant volumes, and when that happens, trouble could lurk if they fall into what Russo describes as the brother-in-law syndrome. There are plenty of high-volume shoestring operations out there, and the truth is they don't have the manpower or the technical expertise of their more heavily staffed competitors. When that happens, they may default to letting their brother-in-law or the college intern administer their systems, install their payment applications for them, and generally keep the LEDs on.
Even when the smaller business is aware of PCI regulations and has looked for payment applications that are Payment Application DSS (PA DSS) compliant, they end up still insecure and potentially noncompliant if the application itself isn't properly installed.
"They'll say, 'I'll just buy a PCI-compliant solution or a PA DSS-compliant application, and that will make me PCI-compliant.' Of course, that's not the case," Russo says. "They've done a good thing by looking to buy a PA DSS application, but now they're going to have this thing installed by someone who may not have the wherewithal to install it in a secure manner."
Some of the frequent mistakes made by the proverbial brother-in-law include systems installed with default passwords, remote access settings left on permanently for the administrator's convenience, and root access given to clerks who ring up purchase. Even if those things are installed correctly, installing one piece of hardware could bring everything into a state of noncompliance. For example, take the mobile payment dongles that are sweeping across the SMB nation for their convenience. Many of those are not yet PCI-compliant, and yet they're being used in concert with solutions that claim to be.
"When you look past the marketing slick and you start to talk with their technology folks to start to understand the process, you'll see that the dongle that snaps into your mobile phone is not PCI-compliant yet," Leach says. "Once the vendor receives your information at their servers, that server-side acceptance of your payment card is PCI-compliant, but the initiation point that is at risk for small to medium-sized businesses may not be validated as PCI-compliant."
It's situations like these that have driven the PCI Council to not only get the word out to SMBs about their responsibility to comply with its PCI mandates, but to also make it easy for them to assess and install payment technology without becoming security experts.
This is the big driver in the council's most recent push to encourage SMBs to look to resellers certified as Qualified Integrators and Resellers (QIR) for validation that they can act as a trusted adviser in the process of installing payment applications in a secure manner. Essentially, Russo and BLANK want SMBs to say good-bye to the brother-in-law and hello to the QIR.
"Small merchants are now realizing that even though they buy these solutions, there are basic changes that have to be made in order for it to be a PA DSS recognized implementation of the payment application," Leach says. "A QIR will be trained through our program to make sure it is installed in a secure environment."
It's a useful measuring stick because no matter who the SMB chooses to outsource to, they can't transfer all of their data loss and PCI compliance risk over to a third party. Ultimately, it is the business that is on the hook for the customer data.
"The data is still theirs regardless of whether or not you've farmed it out to someone else to process and someone else to create your Web page and host your Web page," Russo says. "If they get breached, you're the guy that's going to get called to the carpet because it's your data."
Not only can a QIR help install things correctly, they may well be able to help an SMB decipher the baloney delivered up in healthy helpings by marketing slicks emblazoned with "PCI compliant" claims.
"Especially with cloud and mobile, everyone wants to migrate because of cost savings and the new payment acceptance channels, but you have to be very cautious as to what they're promoting when they say they are PCI-compliant," Leach says. "It typically is much less than what you'd expect as a merchant."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.