Chapter 11
PCI for the Small Business
Information in this chapter:
One of the key issues we face with respect to PCI DSS is the sheer number of merchants that process transactions. The merchants that fall into the top reporting levels (Levels 1–3 for most payment brands) may process a significant percentage of transactions individually and when measured as a group, but the account for a tiny percentage of total merchants (indeed less than 1/100 of a percent). That means if you are reading this book there is a significant chance you are a Level 4 merchant, or another small business, and you are absolutely flipping your lid with the depth of this standard. Both authors have worked with companies big and small—some as small as a few employees. We feel your pain!
And it’s not just us either. The 2011 community meeting brought us a big focus on small business with the suggestion of several Special Interest Groups. Depending on when you are reading this, you might even be able to access the final work product of these groups on the Council’s website.
This chapter will explore several ways that you can cope with PCI DSS as a small business, and hopefully never end up in a situation where you are facing fines and fees from a breach. The knee jerk reactions are two-fold, and they are more of a possibility than you might think. Outsourcing is a biggie: what makes you think you are qualified to own and operate a payment processing company? If you are doing all of your processing on your own, that’s exactly what you are doing. The second is choose an alternate method to exchange money. You don’t HAVE to accept payment cards. I bet every one of you can think of a cute little diner or bar that is cash only with an ATM out front. For you non-US readers, ATMs in establishments is more common, even if you may still be able to pay with a credit card.
The Risks of Credit Card Acceptance
Small companies tend to think that things won’t happen to them. In some respects, they aren’t that wrong. It’s a numbers game, and criminals want the biggest payoff they can get for the lowest amount of effort and risk. Why would someone target a small business for minimal gains when they can go after a big box retailer and steal tons of information? Therefore, as a small business owner, I don’t need to concern myself with information security. I need to focus on making my widgets and preventing fraud or physical threats.
The authors enjoy working with small business owners. Their passion is infectious! When speaking with a franchisee of a major brand, he told us that cashless payment transactions are simply a convenience for his customers. If he has an extra $15,000 at the end of a month to invest in his business, he’d rather invest in something that brings in revenue versus something that keeps his business safe from hackers. To him, that hack is a “Black Swan” event. He no doubt knows someone who has dealt with it, but probably dismisses that experience as something that won’t or can’t happen to him.
Small businesses tend to view payment card acceptance as a necessary item to reach their customers. In fact, there are many benefits to accepting payment cards like less cash on hand, quick wire transfers to your bank account, and the opportunity to track buying patterns of your frequent customers. Many small businesses actually prefer payment card transactions to other instruments like checks due to the risks associated with non-sufficient fund charges and the delays in converting the paper to cash. But there are specific drawbacks as well that typically only manifest themselves when you have a problem. Small businesses don’t focus on information security, so they typically never know a breach happens until their acquirer makes the “Houston, we have a problem” phone call.
If you end up on the wrong end of a payment card breach as a small business, you have a significant probability of losing your business. Imagine a small business that nets the owner $150,000 per year being hit with fines and fees well into $100,000! It’s like having your building 75% burned to the ground without fire insurance. Here’s typically what happens:
1. Small business is informed by a payment brand (sometimes via their acquirer) that their location has been identified as a common purchase point for a large number of known-compromised cards.
2. Small business must perform a forensic investigation ($30–70K).
3. Small business faces lawyer and consultant fees to help them navigate the process ($40–100K).
4. Fines come down from various payment brands depending on the size/scope of the breach and how good your lawyers are ($5–100K+).
All this because you entered into an agreement to accept payment cards and the systems you own and operate were not built securely. And possibly because, “That’s always how we’ve done it.”
This is why outsourcing becomes an amazingly compelling argument when weighing the cost of operating these systems with the risks of a payment card breach. For the most part, your customers don’t see any real effects when their cards are breached. Some will just have new cards show up in the mail while others will notice bad transactions that are immediately reversed and new cards then are mailed. Your loyal customers won’t stop patronizing your business, and unless you are in the business of securing payment card data, you probably won’t see a major hit in your brand value. There are plenty of examples that prove this point freely available to you with some clever searching.
So why don’t more businesses outsource? Because the fees are higher! Think about it this way: if you are required to secure cardholder data, you can either spend the money to do it yourself by complying fully with PCI DSS, or you can incrementally pay an extra point on every transaction to someone else to handle it for you. Small business owners don’t want to mess with payment cards, they feel like they must do it for their customers. Imagine the burden you could remove for a measly 1–2 points per transaction! As a small business owner or operator, you must make security and compliance a core part of your competency if you choose to operate in a manner that puts you in the cross-hairs of regulation.
NOTE
Are you seeing a trend here? While you will never hear anyone from the PCI Council say this, there are absolutely alternatives to accepting payment cards and if you are not investigating them, you are doing a disservice to you and your shareholders.You don’t have to know anything about PCI DSS, but if you actually read the contracts you signed when you got your merchant account, you would know that you have to comply with certain security standards. You obviously can choose to ignore these standards, but you look ridiculous when you point the finger at someone else after a breach. If you are breached, it’s easy to blame everyone but yourself, but its your responsibility to look after your business and your investment. Don’t end up on that road!
Small business owners need to know the level of risk they carry to understand how future actions alter that risk profile. For example, an over-leveraged company probably wouldn’t choose to take on more debt to expand (solvency risk), and a company relying on credit cards for customer revenue should know how security and compliance rules affect their business (compliance risk).
Of course, it’s getting harder for business owners to learn about their risks thanks to complex software packages being offered as a service. Business owners are attracted by the glitz and glamor of a fancy piece of software, yet they don’t really understand how to use it or understand the liabilities associated with the information stored—that is, until a breach happens.
New Business Considerations
Let’s say you picked up this book because you heard about PCI DSS from your previous life, and you are looking to start your own business in the next few months. You know that you will be accepting payment cards, but you are unsure how to deal with these regulations. Here’s a quick guide and some things you should consider when setting up your process for accepting payments.
Your first reaction will be to get out your calculator and play with the bottom line, how much does this cost me per transaction? Cost is a critical consideration for any small business owner, but you should understand what goes into that cost before you sign up for the service. The authors have helped companies set up their various payment schemes over the last 15 years, and while the offerings and technology has changed, we all still gravitate toward the cost of the solution. Not all solutions are alike, so don’t assume that you are making an apples-to-apples comparison when lining them all up in your spreadsheet. Here are five things you should consider while weighing your options:
1. Accepting credit cards costs money but provides convenience and physical security (less cash on hand). If you choose not to accept cards, you should understand the costs of dealing with cash, bad checks, and counterfeiting. You must also consider things like your average ticket size when making this decision. If you sell TVs, you can’t live on cash only for the most part. But if you are a restaurant, news stand, or any place where the average ticket size is under $50, you probably can.
2. Look closely at the plans and understand their differences beyond just the finances. The following six things typically make up the majority of the cost you might see (This list is not exhaustive, but makes up a significant portion of the cost you would pay):
a. Will one ISO offer a complete outsourced solution, and take all the burden of PCI DSS compliance off your hands? (WIN!)
b. Will they handle chargebacks for you?
c. Will they cover fraud if someone uses a stolen card in your shop?
e. How fast do you get your cash?
f. How and when do they take their fees?
3. Choose not to accept cards, but provide an on-site ATM or accept PIN-Debit with an outsourced provider (to push compliance back to them for member branded cards that can be used as PIN-Debit).
4. Go exclusive with one provider like Costco or Sam’s Club to potentially get a better deal, but ensure you have covered PCI somehow (either yourself or outsourced back to the provider). These are harder to come by nowadays.
5. Offset some of the costs of card processing by offering discounts to cash-paying customers. You cannot require people to pay for the privilege of using a credit card (for the most part), but you can reward customers for paying with cash. You don’t even have to give them discounts, it could be additional points in a loyalty program, a free gift with purchase or some other way to encourage folks to part with paper bills instead of plastic 1s and 0s.
These are all business decisions that are based on the assumption that you have to deal with cardholder data at some point, and you are better served by making it someone else’s problem and treating it like a standard overhead cost. Focus on retailing, not processing payments, and you may just find yourself never having to deal with PCI DSS!
Your POS is Like My POS!
Point Of Sale (POS) software tends to be the biggest focus on payments for small businesses. They understand that tracking the customer’s sale and the card swipe plus all the magic that happens afterward starts at the POS. When you first start looking around you may feel like there are too many choices available. The reality is there are not really that many options out there, and the market is largely dominated by a small number of major players. The online or e-Commerce world isn’t too dissimilar in some respects, but the main danger with this side is that there are many free software packages available to process cards. Free isn’t necessarily bad, but most small business owners need commercial support to get things running well. The chances are that if you choose one of the major commercial players, you aren’t the first to do so, and you can bet that there are other small businesses nearby that have the exact same system deployed in their stores.
You might be thinking, “Great! That means all the kinks are worked out and I will probably have a great experience with my software.” In many respects you are absolutely correct. But there is a hidden snake in the grass that many of us ignore. It’s the collateral damage of a POS system being compromised because there is a fundamental flaw in the system, not the way it is deployed.
Remember, criminals want to maximize their payoff while minimizing their effort and risk of being caught. A criminal is less likely to target a single store and more likely to target some kind of common infrastructure shared by hundreds or thousands of stores. If he can find a way to break a POS terminal and can scale that hack from one store to thousands, he’s absolutely going to do that. He might even be able to fly under the radar for a bit as the payment brands try to understand where the real issue is. It will start to look like a bunch of unrelated incidents until they see that they are all running the same software and then it becomes a major issue. We can also bet that those small merchants won’t be fully compliant with PCI DSS, so even though the breach itself may not have been mitigated by a compliant solution, the fact that they are operating in a non-compliant fashion opens them up for fines and fees. That small business just became collateral damage in a larger, organized attack.
Understand that this chapter is designed to scare you a bit, but with a good outcome. Payment card data left unsecured is a silent cancer waiting to go malignant. You don’t need to carry the risk of a breach on your shoulders, you need to make it someone else’s problem. There are plenty of companies out there to choose from, and outsourcing can even make your position stronger from a negotiation perspective if costs from your current provider start to get out of whack.
A Basic Scheme for SMB Hardening
So you have been sufficiently terrified of payment card processing and have already started looking to outsource. But since this isn’t something you can do overnight, what can you do now to help mitigate much of your risk of an electronic intrusion at your store? One element is effective firewall controls that are probably built into the router you have at your location. If you are doing your best to block inbound traffic, have you considered what you are allowing out? Can someone access their Gmail account from a POS terminal? What about a gambling website? What about doing FTP or SSH transfers?
The majority of the guidance you probably have run into on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks. Outbound traffic tends to be much trickier for several reasons like:
• You have to do an analysis of your business critical applications and the traffic passed to the internet,
• You need to have policies in place governing access,
• You should probably have some controls to prevent employees from going around your policies and rules.
The first one is sometimes the hardest one to accomplish—even as a small business. Traffic analysis is easy if you have the right tools, but small businesses rarely do. You may need to resort to using your firewall to tell you exactly what is typical traffic for your business.
Also, for the record, you should not be allowing Gmail access from a POS terminal, or gambling websites, and definitely not SSH and FTP. We’re not saying there aren’t legitimate business reasons to do any of these things… well, wait. Yeah, we are. Don’t do these things from an in-scope PCI DSS device.
TIP
For a detailed post on how to do this for your business, visit this blog post by Branden: http://j.mp/dAku0U In it,you will learn how to handle firewalls in your small to medium sized business.
You will also probably want to start limiting traffic to certain websites. One easy (and cheap) way to do this is to set up a DNS Blackhole for certain websites. There are plenty of resources available online to show you how to do this, but suffice it to say, you can black out massive portions of the internet by routing lookups to domains to the loopback address of 127.0.0.1. Imagine blocking Facebook with one entry in your server! It’s possible, and will force your employees to use their personal devices to access non-business related sites.
Case Study
Your business many not fully enable you to convert to a cash business, but there are always strategies for reducing your risks. As a small business owner, you have much more to lose than an employee of a big business, so be sure you get good advice, read your contracts, and understand your risks fully before playing in the payment card space.
The Case of the Cashless Cover Charge
Schafer’s Sommelier Sanctuary is a new upscale wine shop that caters to choose wine consumers and wine stewards. Michelle has been a connoisseur of fine wines for many years, and started a small wine club to meet and taste fine wines from all over the globe. After much urging from her growing membership, she finally decided to open an official business location. She found a great location that requires minimal finishing costs for her store and is studying how to handle payment acceptance. She knows that cash only is not an option as her average ticket size will be well over $50, and she wants to provide a concierge level service to her frequent customers to ensure they are serviced with minimal barriers.
She receives bids from several Independent Sales Organizations (ISOs) but is having a hard time choosing as all of their features are vastly different. She makes a table with her top two options to compare the merits of insourcing our outsourcing. She is computer savvy, but does not wish to spend a bunch of time messing with her POS system if she doesn’t have to. She ends up with something that looks like this Table 11.1.
Table 11.1 Basic Outsourcing Cost Analysis
In order for her to choose to outsource her transactions, she must be willing to pay an extra $20,000 to completely remove the risk of a PCI Breach from having a major effect on her new business. That’s a pretty steep charge, but works out to be around $1650/month, well under the salary she would need to pay to hire someone to deal with all of her IT and security concerns, and less (marginally depending on the quality) than what it would cost to hire a contractor to maintain the systems. In addition, the outsourced provider will allow her to make profiles for her top customers and include the payment card information there so she can charge her regulars without even asking for their payment cards. She also has the ability to set up a monthly wine club that automatically bills her customers for the wine they will receive as a part of their membership. Because she chooses to outsource, she is now able to do this without the fear of a PCI breach ending her business.
Summary
Small businesses learning to deal with PCI DSS feel like they have a near insurmountable hill to climb—so much so that many of them choose to ignore the problem and just pray that they will not be the target of a criminal attack. Companies have options when it comes to accepting customer payments, and they may opt to alter their business to accommodate these lower risk changes. For the most part, they absolutely cost more, but there are some interesting advantages that open up when you consider outsourcing this headache to a provider who bases their business around the flow and security of payment cards.
If you find yourself in this situation—be it a new company accepting payment cards or an existing company learning about PCI DSS—consider your options carefully. You have seen an outsourcing theme repeated heavily in this chapter and throughout this book. You should build some financial models to understand the impact of your decisions and be sure you fully understand your current risk and liability if you continue to operate your business as-is.
If you take anything from this chapter, small businesses should remember the three Ds of Safe Payment Processing: