March 23, 2009
-
News: Small Business PCI Woes.
The major gaping loophole in credit card security now seems to be with small business. The big business cyber black market has taken note. They are now targeting these small businesses with a vengeance to steal their sensitive credit card data. A major premise of the minimum credit card security standard (called PCI DSS') was to stop most of this. Because PCI DSS' was designed to encompass the huge credit card industry, there are many levels to it based mostly on transaction volume.
The larger credit card transaction entities are generally covered by the Level 1' and Level 2' standards. These are very strict and full compliance is mandatory to avoid significant punishment. The lower levels, however (Levels 3 and 4) are the lower-volume credit card transaction categories and, individually, considered to be less of a threat. The problem is, there are so many more of them. These would be the medium-size businesses (Level 3') and the small businesses (Level 4').
Of these two, it is reported that only 60% of the higher (Level 3') group are up to snuff with PCI Compliance. It is expected that Level 4' (small businesses) is even in worse shape. Of course, what it boils down to is the lack of resources and time that these businesses can allocate to credit card security and still run a business. The smaller the business, the harder it becomes.
Further complicating the soup is the fact that the standards are set so high that enormous resources are required. Many businesses feel that too much is expected for it to be practical. One alternative that is suggested is to amalgamate former working processes with new ones. For most, it used to be that all the credit card sales transactions were only entered into a closed POS system. That was before the days of the Internet.
Now that most businesses perform traffic and management on-line, they are much more vulnerable. These businesses are strongly encouraged to hire hosting services that store and submit their credit card transactions to the payment processor for them. That way they don't have to spend all the time and resources to protect the data themselves.