WIXLIB

Payment Card Industry Security Standards CouncilDATA SECURITY ESSENTIALS FOR SMALL MERCHANTSA PRODUCT OF THE PAYMENT CARD INDUSTRY SMALL MERCHANT TASK FORCEGuide to Safe PaymentsVersion 2.0 August 2018

Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educatemerchants and other entities involved in payment card processing. For more information about the PCI SSC andthe standards we manage, please visit www.pcisecuritystandards.org.The intent of this document is to provide supplemental information, which does not replace or supersede PCIStandards or their supporting documents.

UNDERSTANDINGYOUR RISK

Understanding your riskAs a small business, you are a primetarget for data thieves.When your payment card data isbreached, the fallout can strike quickly.Your customers lose trust in your abilityto protect their personal information.They take their business elsewhere.There are potential financial penaltiesand damages from lawsuits, and yourbusiness may lose the ability to acceptpayment cards. A survey of 1,015 smalland medium businesses found 60% ofthose breached close in six months.(NCSA)50% 30 billionOF SMALL BUSINESSESHAVE BEEN BREACHEDIN THE PAST 12 MONTHS.(Ponemon Institute)61%OF BREACHES HITSMALLER BUSINESSESLAST YEAR, UP FROM THEPREVIOUS YEAR’S 53%(Verizon 2017)Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.COST TO UK BUSINESSDUE TO CYBER SECURITYBREACHES IN 2016(Beaming UK)ONLY39%OF SMALL FIRMS HAVE FORMALPOLICIES COVERING CYBERSECURITY RISKS IN 2017(Dept for Culture Media and Sport)4

What’s at risk?YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU!Follow the actions in this guide to protect against data theft.Examples of payment card data are the primary account number (PAN) and three or four-digit card securitycode. The red arrows below point to types of data that require protection.TYPES OF DATA ON A PAYMENT CARDCard security code(American Express)Magnetic stripe(Data on tracks 1 and 2)ChipWHAT IS PCI DSS?The Payment CardIndustry Data SecurityStandard (PCI DSS)is a set of securityrequirements that canhelp small merchantsto protect customercard data located onpayment cards.Small merchantsmay be familiar withvalidating their PCIDSS compliance viaa Self-AssessmentQuestionnaire (SAQ).For more informationon PCI DSS, see theResources at the endof this guide.PANCardholdernameExpiration dateCard security code(All other payment brands)Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.5

Understanding your payment system: Common payment termsAccepting face-to-face card payments from your customers requires special equipment. Depending on where in the world you arelocated, equipment used to take payments is called by different names. Here are the types we reference in this document and whatthey are commonly called.A PAYMENT TERMINAL is the device used to takecustomer card payments via swipe, dip, insert, tap, ormanual entry of the card number. Point-of-sale (or POS)terminal, credit card machine, PDQ terminal, or EMV/chipenabled terminal are also names used to describe thesedevices.An ELECTRONIC CASH REGISTER (or till) registers andcalculates transactions, and may print out receipts, but itdoes not accept customer card payments.An INTEGRATED PAYMENT TERMINAL is a paymentterminal and electronic cash register in one, meaning ittakes payments, registers and calculates transactions, andprints receipts.A MERCHANT BANK is a bank or financial institution thatprocesses credit and/or debit card payments on behalf ofmerchants. Acquirer, acquiring bank, and card or paymentprocessor are also terms for this entity.ENCRYPTION (or cryptography) makes card dataunreadable to people without special information (calleda key). Cryptography can be used on stored data and datatransmitted over a network. Payment terminals that are part of aPCI-listed P2PE solution provide merchants the best assurance aboutthe quality of the encryption. With a PCI-listed P2PE solution, carddata is always entered directly into a PCI-approved payment terminalwith something called “secure reading and exchange of data (SRED)”enabled. This approach minimizes risk to clear-text card data andprotects merchants against payment-terminal exploits such as“memory scraping” malware. Any encryption that is not done within aPCI-listed P2PE should be discussed with your vendor.A PAYMENT SYSTEM includesthe entire process for acceptingcard payments. Also called thecardholder data environment (CDE),your payment system may includea payment terminal, an electronic cash register, other devices or systemsconnected to a payment terminal (for example, Wi-Fi for connectivity or aPC used for inventory), and the connections out to a merchant bank. It isimportant to use only secure payment terminals and solutions to supportyour payment system. See page 21 for more information.Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights 9292938462629103048264549009263441537846

Understanding your E-commerce Payment SystemWhen you sell products or services online, you are classified as a e-commerce merchant.Here are some common terms you may see or hear and what they mean.An E-COMMERCE WEBSITE houses and presentsyour business website and shopping pages to yourcustomers. The website may be hosted and managed byyou or by a third party hosting provider.CHECKOUTPAY NOWYour SHOPPING PAGES are the web pages that showyour product or services to your customers, allowingthem to browse and select their purchase, and provideyou with their personal and delivery details. No paymentcard data is requested or captured on these pages.Your PAYMENT PAGE is the web page or form used tocollect your customer’s payment card data after theyhave decided to purchase your product or services.Handling of card data may be 1) managed exclusivelyby the merchant using a shopping cart or paymentapplication, 2) partially managed by the merchant withthe support of a third party using a variety of methods,or 3) wholly outsourced to a third party. Most times,using a wholly outsourced third party is your the safestoption - and it is important to make sure they are a PCIDSS validated third party.MERCHANTE-COMMERCEWEBSITEPCI DSS COMPLIANTTHIRD-PARTYSERVICE ANTPAYMENTPAGEPAY NOWAn E-COMMERCE PAYMENT SYSTEM encompasses the entireprocess for a customer to select products or services and forthe e-commerce merchant to accept card payments, including awebsite with shopping pages and a payment page or form, otherconnected devices or systems (for example Wi-Fi or a PC used forinventory), and connections to the merchant bank (also called apayment service provider or payment gateway). Depending onthe merchant’s e-commerce payment scenario, an e-commercepayment system is either wholly outsourced to a third party,partially managed by the merchant with support from a third party,or managed exclusively by the merchant.Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.7

How is your business at risk?The more features your payment system has, the more complex it is to secure.Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internetconnected cameras, or call recording systems for your business. If not properly configured and managed, each ofthese features can provide criminals with easy access to your customers’ payment card data.How do you sell yourgoods or services?There are three mainways:1.A person walksinto your shop andmakes a purchasewith their card.2.A person visitsyour website andpays online.3.A person calls yourshop and providescard details overthe phone, orsends the detailsin the mail or viafax.If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on yourwebsite. In most cases, using a wholly outsourced third party to capture and process payments is the safest option.COMPLEX ENVIRONMENTSIMPLE ENVIRONMENTHARDER TO REDUCE RISKEASIER TO REDUCE RISKData Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.8

TYPE1RISK PROFILEDial-up payment terminalPayments sent via phone lineTYPE LOWER9Payment terminal connects to electronic cashregister, with additional connected equipment.Payments sent via Internet.RISK PROFILEHIGHERUnderstanding your risk: Payment system typesYour security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.DIAL-UP PAYMENTTERMINALDial-up payment terminalshows it is dialing for eachtransactionPaper documentswith card dataGENERAL USECOMPUTERSThe payment terminal isconnected to bank by adial-up telephone lineIP PHONESELECTRONICCASH 293846262910304826454900926344153784PHONE LINESimple payment system for in-shop purchasesROUTER/FIREWALLCard data can beentered on electroniccash register orpayment terminalINTERNETPAYMENT TERMINALCAMERASFor this scenario, risks to card data are present atCHECKOUTMerchant might also use Wi-Ficapability in addition to wirednetworking, and/or may offer Wi-Fi forcustomer useComplex payment system for in-shop purchases, with Wi-Fi,For this scenario,to card dataare present atsystemsabove. Risks explained on next page.cameras, Internet phones,andrisksotherattachedThere are many risk points here due to numerous systems connected to the Internet and toabove. Risks explained on next page.payment terminals. Each system has to be configured and managed properly to minimize risk.PAY NOWComplex e-commerce payment system for online shop purchases,with merchant managing their own website and payment pageUse the Common Payment Systems to help you identifywhat type of payment system you use, your risk, and therecommended security tips as a starting point for conversationswith your merchant bank and vendor partners.Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.9

PROTECT YOURBUSINESS WITH THESESECURITY BASICS

How do you protect your business?The good news is, you can start protecting your business today with these security basics:Use strong passwordsand change defaultonesProtect your card dataand only store whatyou seRisk MitigationRisk MitigationRisk MitigationRisk MitigationRisk MitigationRisk MitigationProtect your businessfrom the InternetFor the best protection,make your data uselessto criminalsDon’t give hackerseasy access to yoursystemsUse anti-virussoftwareInspect paymentterminals fortamperingScan for vulnerabilitiesand fix issuesUse trusted businesspartners and knowhow to contact themUse secure paymentterminals andsolutionsInstall patches fromyour vendorsProtect in-houseaccess to yourcard seRisk MitigationRisk MitigationRisk MitigationRisk MitigationRisk MitigationRisk MitigationThese security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of riskreduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.Data Security Essentials for Small Merchants: Guide to Safe PaymentsCopyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.11