Does your SMB recognize the risk of fraud?

According to the Identity Theft Resource Center, from January 1, 2005 to May 31, 2019, almost 1.5 billion personal records have been exposed in data breaches. (1)

Investigating these breaches shows:

  • 43% of data breaches target small and medium businesses (SMBs).
  • In the Accommodation and Food Services industry, breaches continue to be dominated by compromised POS devices and exposure of cardholder payment data. 
  • In the Retail sector, for the first time card not present fraud has surpassed card present fraud, with payment card data compromised 64% of the time. (2)

And yet a Keeper Security/Ponemon Institute report states that 54% of SMB’s believe they are too small to be targets.

  • In actuality, 58% of SMBs have experienced a data breach in the last 12 months, and 34% have experienced stolen or compromised devices. (3)
  • 60% of SMB’s cite employee and contractor negligence as a root cause of these breaches.

What is an organization to do?

PCI DSS Requirements Can Help

There is a way to fight back. The PCI Data Security Standard (PCI DSS), the international standard for payment card security, is designed to ensure that ALL companies that accept, process, store or transmit payment card information maintain a secure environment.

Any merchant who accepts payment cards is required to be PCI compliant.  Even Level 4 merchants, with 20,000 online transactions or less annually, must meet basic PCI compliance requirements in order to maintain their ability to accept payment cards. Most of the PCI DSS requirements address security from a technological perspective. The latest version of the “PCI DSS Requirements and Security Assessment Procedures, Version 3.2.1,” published in May, 2018, outlines mandatory details for firewall configuration, encryption, password use and anti-virus software, amongst others. However, Requirement 12.6 addresses PCI DSS from a different avenue – training.  It states that organizations must, “implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.” This indicates a clear expectation that organizations will require PCI training at least annually, and that employees will acknowledge in writing that they have read and understand the organization’s payment security policy. (4)  

Targeted PCI DSS Training

GLS’s PCI DSS Essentials, online course 5686, is a scaled-down version of our PCI DSS Introduction (5610). This short course contains not only the basics of PCI DSS – such as its purpose and benefits – but also a light touch on advanced content such as compliance requirements, consequences of non-compliance, and best practices for employees to ensure compliance. It meets your PCI training needs with instruction and scenario-based questions to confirm understanding of the following topics:

  • The purpose and compliance requirements of PCI DSS
  • Explanation of cardholder data (CHD) and sensitive authentication data (SAD)
  • Benefits of compliance with PCI DSS requirements
  • Costs associated with data breaches and fraud
  • Best practices for ensuring compliance

By requiring PCI security awareness training across multiple departments, an organization encourages wide ownership and a team approach to addressing this critical security standard – significantly increasing your payment security and reducing the odds of someone compromising cardholder data.

References

1 Identity Theft Resource Center. (2019) Data Breaches. Retrieved from https://www.idtheftcenter.org/data-breaches/

2 Verizon Communications. (2019) 2019 Data Breach Investigations Report. Retrieved from https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf

3 Ponemon Institute LLC. (2018) 2018 State of Cybersecurity in Small & Medicum Size Businesses. Retrieved from https://keepersecurity.com/assets/pdf/Keeper-2018-Ponemon-Report.pdf

4 PCI Security Standards Council. (2018, May) Requirements and Security Assessment Procedures

Version 3.2.1. Retrieved from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf?agreement=true&time=1562025478147

PCI training PCI-DSS
  • Compliance

  • Courseware