Small and medium businesses (SMBs) are prime targets for payments fraud, with cyber-attacks increasing in recent years.
While an unsettling thought, cyber criminals consider SMBs low-hanging fruit due to a lack of general awareness and preparedness, making them the primary target for attacks, as compared to large enterprises with robust security programs and protocols in place. In fact, almost half of all cyber breaches (46%) impact businesses with fewer than 1,000 employees.
There is no denying that a successful data breach is costly for any business, but more so for SMBs, with 95% of cyber incidents costing them up to (and sometimes north of) $650,000. This loss of time, money, and resources can be hard for a SMB to recover from, and in some cases, may even force a small merchant to close their doors for good, which greatly impacts your business as well.
eCommerce businesses have become a fast-growing target for cyber criminals because it’s easy for these bad actors to automate their hunt for vulnerable businesses.
Throughout this blog, we explore how software companies can help prepare their eCommerce merchants to combat cyber-attacks and the critical role of PCI DSS compliance.
Short on time? Here are key takeaways:
- PCI 4.0 added more stringent controls to combat the surge of web skimming attacks.
- PCI is applicable to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and software companies.
- There are 4 PCI DSS validation levels for merchants and each level is based on transaction volume and warrant different compliance requirements.
- Software companies can help their merchants validate PCI compliance with security programs, like SaferPayments, a Worldpay product.
- Bonus: Offering value-added services, like SaferPayments, can enhance your customer experience, increasing the lifetime value of your software, customer retention rates, and enhancing revenue potential.
Attackers go where the money is: The rise of web skimming
Cyber criminals have found a low-lift way to get their hands on payment card data, also known as cardholder data. Payment card data includes the primary account number (or PAN) and sensitive authentication data which includes the details on the chip and magnetic stripe, the 3–4-digit security code on the card, and PIN details.
How? With malicious JavaScript.
This bad code reads card information from an SMB’s eCommerce page and sends it back to the attackers who can then use that data fraudulently. These types of web skimming attacks often go unnoticed because the code intentionally doesn’t stop the authorized payment from going through. Instead, it copies the card data as the payment is being transmitted. Leaving everyone, but the bad actor, none the wiser to the breach.
Creating awareness around this type of breach among your merchant is an extremely important responsibility.
The role of PCI compliance for merchants
What is PCI DSS? A high-level overview
PCI DSS is short for Payment Card Industry Data Security Standards and is the global data security standard adopted by the payment card brands. This governing guideline is applicable to all entities involved in payment card processing. This includes any entity that stores, processes, transmits, or could impact the security of payment card data, such as merchants, processors, acquirers, issuers, and software companies, like yourself.
The goal of PCI DSS is to reduce payment card fraud by increasing awareness around data security and what good data security practices are to minimize breach risk and reduce card fraud. As a result, it is a merchants’ responsibility to adhere to good data security practices, such as those outlined in PCI DSS, to help prevent attacks and compromises from happening. And as their trusted software provider and an integral piece of the payments ecosystem, you can ensure that they do just that.
PCI DSS validation levels: Merchant validation requirements
There are four PCI DSS validation levels for merchants and each level is based on transaction volume with a single card brand.
- Level 1: More than 6 million transactions
- Level 2: 1-6 million transactions
- Level 3 & 4: Less than 1 million transactions
Each level requires an assessment of some variety.
- Level 1 is subject to an on-site assessment by a qualified security assessor (QSA).
- Level 2 must have a self-assessment performed by an internal security assessor (ISA).
- Level 3 and 4 merchants are generally your small and medium sized businesses and must complete a self-assessment questionnaire (or SAQ), which addresses common payment processing methods, contains a reduced set of PCI DSS requirements, and has eligibility criteria to be mindful of.
In addition to the SAQ, some Level 3 and 4 merchants must produce an ASV or an approved scanning vendor scan report. An ASV scan is a non-intrusive external scan against the public address of a merchant’s card processing network. The scan checks for open TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) ports at the network gateway and test for vulnerabilities and common misconfigurations which could put card data at risk.
As you can see all merchant levels have validation requirements, and Payrix has resources available to help small merchants get through the process easier.
Safeguarding your eCommerce merchants with security tools
Navigating the complexities of PCI compliance, web skimming, and fraud is no small task. Particularly for SMB merchants with limited time, resources, and money.
As their trusted software provider, you can help your merchants validate PCI compliance with security solutions, such as SaferPayments, a Worldpay product. In fact, Worldpay and Payrix strongly encourage software companies to provide additional tooling to their merchants, if they are able, to simplify this process for them. You know the power and potential of software, so this is a great place to lean in and provide the services and solutions your unique base needs to be successful with payments.
Where merchants are able to use different technologies and things to reduce their scope and meet the eligibility criteria of some of these shortened SAQs, it’s definitely in their best interest and we encourage them to do so because it reduces their scope and their risk and the heavy lift that comes with PCI DSS validation requirements.Judy Hagerty Compliance Analyst II, Payment Data Security at Worldpay
SaferPayments was built with SMBs in mind and delivers simplified PCI compliance, fraud protection, and data breach prevention with security tools and expert support that helps your merchants uncover risks, complete their PCI attestation, and reduce liability.
PCI compliance and preparedness begins with you
With the changing risk landscape, and eCommerce SMBs at the center, adequately preparing yourself and your merchants is essential to success. It is your responsibility as their software provider to ensure that they are adequately aware of cyber threats, like web skimming, and taking the necessary steps to protect their operation, like those outlined in PCI DSS. At the end of the day, we all have a role in making sure that the payment ecosystem is fortified, and cardholder data is safe and secure. This is no easy task, but we know that you can rise to the occasion.
The Payrix team is here to support and guide software companies through the complexities of PCI compliance and ensure you look awesome to your merchants, and your merchants look just as extraordinary to their cardholders. Get in touch with us to learn how Payrix can support your PCI journey.
Ready to explore the platform?
Check out our on demand demo now.