Payment Card Industry Security Standards Council

DATA SECURITY ESSENTIALS FOR SMALL MERCHANTS

A PRODUCT OF THE PAYMENT CARD INDUSTRY SMALL MERCHANT TASK FORCE

Guide to Safe Payments

Version 2.0 • August 2018
Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate
merchants and other entities involved in payment card processing. For more information about the PCI SSC and
the standards we manage, please visit www.pcisecuritystandards.org.
The intent of this document is to provide supplemental information, which does not replace or supersede PCI
Standards or their supporting documents.
UNDERSTANDING
YOUR RISK
Understanding your risk

As a small business, you are a prime

target for data thieves.
When your payment card data is
breached, the fallout can strike quickly.
50% £30 billion
Your customers lose trust in your ability
to protect their personal information.
They take their business elsewhere. OF SMALL BUSINESSES COST TO UK BUSINESS
There are potential financial penalties HAVE BEEN BREACHED DUE TO CYBER SECURITY
and damages from lawsuits, and your IN THE PAST 12 MONTHS. BREACHES IN 2016
business may lose the ability to accept (Ponemon Institute) (Beaming UK)
payment cards. A survey of 1,015 small
and medium businesses found 60% of
those breached close in six months.
(NCSA)
ONLY
61% 39%
OF BREACHES HIT
SMALLER BUSINESSES OF SMALL FIRMS HAVE FORMAL
LAST YEAR, UP FROM THE POLICIES COVERING CYBER
PREVIOUS YEAR’S 53% SECURITY RISKS IN 2017
(Verizon 2017) (Dept for Culture Media and Sport)

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
4
What’s at risk?
YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU! WHAT IS PCI DSS?
Follow the actions in this guide to protect against data theft. The Payment Card
Industry Data Security
Examples of payment card data are the primary account number (PAN) and three or four-digit card security Standard (PCI DSS)
code. The red arrows below point to types of data that require protection. is a set of security
requirements that can
help small merchants
TYPES OF DATA ON A PAYMENT CARD to protect customer
card data located on
Card security code Magnetic stripe payment cards.
(American Express) (Data on tracks 1 and 2)
Small merchants
may be familiar with
validating their PCI
DSS compliance via
a Self-Assessment
Questionnaire (SAQ).
Chip
For more information
on PCI DSS, see the
PAN
Resources at the end
of this guide.
Cardholder
name

Expiration date Card security code

(All other payment brands)

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
5
Understanding your payment system: Common payment terms
Accepting face-to-face card payments from your customers requires special equipment. Depending on where in the world you are
located, equipment used to take payments is called by different names. Here are the types we reference in this document and what
they are commonly called.

A PAYMENT TERMINAL is the device used to take ENCRYPTION (or cryptography) makes card data
customer card payments via swipe, dip, insert, tap, or unreadable to people without special information (called
manual entry of the card number. Point-of-sale (or POS) a key). Cryptography can be used on stored data and data
terminal, credit card machine, PDQ terminal, or EMV/chip- transmitted over a network. Payment terminals that are part of a
enabled terminal are also names used to describe these PCI-listed P2PE solution provide merchants the best assurance about
devices. the quality of the encryption. With a PCI-listed P2PE solution, card
data is always entered directly into a PCI-approved payment terminal
An ELECTRONIC CASH REGISTER (or till) registers and with something called “secure reading and exchange of data (SRED)”
calculates transactions, and may print out receipts, but it enabled. This approach minimizes risk to clear-text card data and
does not accept customer card payments. protects merchants against payment-terminal exploits such as
“memory scraping” malware. Any encryption that is not done within a
An INTEGRATED PAYMENT TERMINAL is a payment PCI-listed P2PE should be discussed with your vendor.
terminal and electronic cash register in one, meaning it
takes payments, registers and calculates transactions, and A PAYMENT SYSTEM includes
prints receipts. the entire process for accepting OR

card payments. Also called the

A MERCHANT BANK is a bank or financial institution that
123423487340

cardholder data environment (CDE),

981230630736
034603740987
382929293846
262910304826
454900926344
153784

processes credit and/or debit card payments on behalf of your payment system may include
merchants. Acquirer, acquiring bank, and card or payment a payment terminal, an electronic cash register, other devices or systems
processor are also terms for this entity. connected to a payment terminal (for example, Wi-Fi for connectivity or a
PC used for inventory), and the connections out to a merchant bank. It is
important to use only secure payment terminals and solutions to support
your payment system. See page 21 for more information.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
6
Understanding your E-commerce Payment System
When you sell products or services online, you are classified as a e-commerce merchant.
Here are some common terms you may see or hear and what they mean.

An E-COMMERCE WEBSITE houses and presents

your business website and shopping pages to your MERCHANT
E-COMMERCE

customers. The website may be hosted and managed by

WEBSITE

you or by a third party hosting provider.

PCI DSS COMPLIANT
THIRD-PARTY
SERVICE PROVIDER

Your SHOPPING PAGES are the web pages that show

your product or services to your customers, allowing MERCHANT
SHOPPING INTERNET
MERCHANT
PAYMENT

them to browse and select their purchase, and provide

PAGES PAGE

CHECKOUT
you with their personal and delivery details. No payment
card data is requested or captured on these pages.
PAY NOW
CHECKOUT

Your PAYMENT PAGE is the web page or form used to An E-COMMERCE PAYMENT SYSTEM encompasses the entire
collect your customer’s payment card data after they process for a customer to select products or services and for
have decided to purchase your product or services. the e-commerce merchant to accept card payments, including a
Handling of card data may be 1) managed exclusively website with shopping pages and a payment page or form, other
PAY NOW

by the merchant using a shopping cart or payment connected devices or systems (for example Wi-Fi or a PC used for
application, 2) partially managed by the merchant with inventory), and connections to the merchant bank (also called a
the support of a third party using a variety of methods, payment service provider or payment gateway). Depending on
or 3) wholly outsourced to a third party. Most times, the merchant’s e-commerce payment scenario, an e-commerce
using a wholly outsourced third party is your the safest payment system is either wholly outsourced to a third party,
option - and it is important to make sure they are a PCI partially managed by the merchant with support from a third party,
DSS validated third party. or managed exclusively by the merchant.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
7
How is your business at risk?
The more features your payment system has, the more complex it is to secure. How do you sell your
goods or services?
Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet- There are three main
connected cameras, or call recording systems for your business. If not properly configured and managed, each of ways:
these features can provide criminals with easy access to your customers’ payment card data. 1. A person walks
into your shop and
If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your makes a purchase
website. In most cases, using a wholly outsourced third party to capture and process payments is the safest option. with their card.
2. A person visits
your website and
pays online.
COMPLEX ENVIRONMENT SIMPLE ENVIRONMENT
3. A person calls your
shop and provides
card details over
the phone, or
sends the details
in the mail or via
fax.

HARDER TO REDUCE RISK EASIER TO REDUCE RISK

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
8
TYPE RISK PROFILE

Dial-up payment terminal

1 TYPE LOWER RISK PROFILE

Payments sent via phone line Payment terminal connects to electronic cash
9 register, with additional connected equipment. HIGHER

Understanding your risk: Payment system types

Payments sent via Internet.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.

DIAL-UP PAYMENT GENERAL USE

TERMINAL COMPUTERS
The payment terminal is
connected to bank by a IP PHONES
Dial-up payment terminal dial-up telephone line
shows it is dialing for each
transaction
ELECTRONIC
CASH REGISTER
ROUTER/
FIREWALL
123423487340
981230630736
PHONE LINE Card data can be
034603740987
382929293846
entered on electronic INTERNET
262910304826
cash register or
Paper documents 454900926344
153784
payment terminal
Simple payment system for in-shop purchases
with card data

PAYMENT TERMINAL
Merchant might also use Wi-Fi
capability in addition to wired
CAMERAS networking, and/or may offer Wi-Fi for
customer use

Complex payment system for in-shop purchases, with Wi-Fi,

cameras, Internet phones, andrisks
For this scenario, other attached
to card data are present atsystems
above. Risks explained on next page.
There are many risk points here due to numerous systems connected to the Internet and to
For this scenario, risks to card data are present at above. Risks explained on next page. payment terminals. Each system has to be configured and managed properly to minimize risk.

PAY NOW
CHECKOUT

Use the Common Payment Systems to help you identify

what type of payment system you use, your risk, and the
Complex e-commerce payment system for online shop purchases, recommended security tips as a starting point for conversations
with merchant managing their own website and payment page with your merchant bank and vendor partners.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
9
 PROTECT YOUR
BUSINESS WITH THESE
SECURITY BASICS
How do you protect your business?
The good news is, you can start protecting your business today with these security basics:

Use strong passwords Protect your card data Inspect payment Use trusted business Install patches from Protect in-house
and change default and only store what terminals for partners and know your vendors access to your
ones you need tampering how to contact them card data

Cost Cost Cost Cost Cost Cost

Ease Ease Ease Ease Ease Ease
Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation

Don’t give hackers Use anti-virus Scan for vulnerabilities Use secure payment Protect your business For the best protection,
easy access to your software and fix issues terminals and from the Internet make your data useless
systems solutions to criminals

Cost Cost Cost Cost Cost Cost

Ease Ease Ease Ease Ease Ease
Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation Risk Mitigation

These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk
reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
11
 Cost

Use strong passwords and change default ones Ease

Risk Mitigation

Your passwords are vital for computer CHANGE YOUR PASSWORDS REGULARLY. Treat your passwords TYPICAL DEFAULT
and card data security. Just like a lock like a toothbrush. Don’t let anyone else use them and get new ones PASSWORDS THAT
on your door protects physical property, every three months. MUST BE CHANGED:
a password helps protect your business [none]
data. Also be aware that computer TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service [name of product/
equipment and software out of the box providers about default passwords and how to change them. vendor]
(including your payment terminal) often Then do it! Also, if your service provider manages passwords for
1234 or 4321
come with default (preset) passwords your systems, ask them if they’ve changed those vendor default
such as “password” or “admin,” which passwords. access
are commonly known by hackers and admin
are a frequent source of small merchant MAKE THEM HARD TO GUESS. The most common passwords are
anonymous
breaches. “password” and “123456.” Hackers try easily-guessed passwords
because they’re used by half of all people. A strong password has company name
seven or more characters and a combination of upper and lower database
case letters, numbers, and symbols (like !@#$&*). A phrase can
guest
also be a strong password (and may be easier to remember), like
“B1gMac&frieS.” manager
pass
DON’T SHARE. Insist on each employee having their own login IDs
password
and passwords – never share!
root
sa
For more about password security, see these resources on the
PCI Council website: secret
65% of SMBs that have a password
policy do not strictly enforce it INFOGRAPHIC VIDEO sysadmin
It’s Time to Change Learn Password Security in 2 user
Ponemon Institute Your Password Minutes

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
12
 Cost

Protect card data and only store what you need Ease
Risk Mitigation

It’s impossible to protect card data ASK AN EXPERT. Ask your payment terminal vendor, service ENCRYPTION PRIMER
if you don’t know where it is. provider, or merchant bank where (or if) your systems store data Cryptography uses a
and if you can simplify how you process payments. Also ask mathematical formula
What can you do? how to conduct specific transactions (for example, for recurring to render plaintext
unreadable to people
payments) without storing the card’s security code.
without special
knowledge (called a key).
OUTSOURCE. The best way to protect against data breaches
Cryptography is applied
is not to store card data at all. Consider outsourcing your to stored data as well as
card processing to a PCI DSS compliant service provider. See data transmitted over a
Resources on page 25 for lists of compliant service providers. network.
Another place to consider whether you are storing payment ENCRYPTION changes
IF YOU DON’T NEED CARD DATA, DON’T STORE IT. plaintext into cyphertext.
data is in emails. If you receive card details via email, you
can still process the transaction, but delete the email Securely destroy/shred card data you don’t need. If you need to
keep paper with sensitive card data, mark through the data with DECRYPTION changes
immediately and then let the sender know how you prefer
cyphertext back into
to receive cardholder data (and that email is not the best a thick, black marker until it is unreadable and secure the paper
plaintext.
way to send it). Do not simply reply using the original email in a locked drawer or safe that only a few people have access to.
from your customer. Instead delete the card details from For example:
the reply email, otherwise you are further exposing the card LIMIT RISK. Rather than accepting payment details via email, ask
data via storing the original email, the sent email, etc.
customers to provide it via phone, fax, or regular mail.
ENCRYPTION KEY
Tokenization has a similar goal to encryption but works
TOKENIZE OR ENCRYPT. Ask your merchant bank
differently. It substitutes card data with meaningless data
(a “token”) that has no value to a hacker. Merchants can if you REALLY need to store that card data. If you do,
use tokens to submit subsequent transactions, process a ask your merchant bank or service provider about
SEE DECRYPTION KEY
refund, etc. without needing to store the actual payment encryption or tokenization technologies that make PAGE 23
card details. The token is used by your payment processor card data useless even if stolen.
to look up the card details, which they store instead of you.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
13
 Cost

Inspect payment terminals for tampering Ease

Risk Mitigation

“Skimming devices” sweep up your Be vigilant and follow these steps:

customers’ card data as it enters a
payment terminal. It’s vital that you and KEEP A LIST of all payment terminals and take pictures (front, back,
your staff know how to spot a skimming cords, and connections) so you know what they are supposed to
device, what your payment terminals look like.
should look like, and how many you
LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals
have. You need to regularly check your
over access cover plates or screws, odd/different cabling, or new
payment terminals to make sure they
devices or features you don’t recognize. The Council’s guide
have not been tampered with. If there
(referenced below) can help.
is any suspicion that a terminal has been
tampered with, DO NOT USE it, and PROTECT TERMINALS. Keep them out of customers’ reach when
report this immediately to your merchant not in use and restrict public viewing of the screens. Make sure
bank and/or terminal vendor. your payment terminals are secure before you close your shop for
the day, including any devices that read your customers’ payment
cards or accept their personal identification numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from

authorized repair personnel, and only if you are expecting them.
Tell your staff too. Monitor any third-parties with physical access to
your payment terminals, even if they are there for another reason,
to make sure they don’t modify your payment terminals.
See the PCI Council’s guide: Skimming
Prevention – Overview of Best Practices for CALL your payment terminal vendor or merchant bank
Merchants immediately if you suspect anything!

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
14
 Use trusted business partners and know how to Cost
Ease
contact them Risk Mitigation

You use outside providers for KNOW WHO TO CALL. Who is your merchant bank? Who else COMMON VENDORS
payment-related services, devices and helps you process payments? Who did you buy your payment Refer to the table
applications. You may also have service device/software from and who installed it for you? Who are your in the Questions to ask your
providers that you share card data with, service providers? Vendors for more details
that support or manage your payment about these common
systems, or that you give access to card KEEP A LIST. Now that you know who to call, keep company and vendors:
data. You may call them processors, contact names, phone numbers, website addresses, and other • Payment terminal
vendors, third parties, or service contact details where you can easily find them in an emergency. vendors
providers. All of these impact your ability • Payment application
to protect your card data, so it’s critical CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS. vendors
you know who they are and what security Is your service provider adhering to PCI DSS requirements? For
e-commerce merchants, it is important that your payment service • Payment system installers
questions to ask them. (called Integrators/
provider is PCI DSS compliant too! See Resources on page 25 for Resellers)
lists of compliant service providers.
• Service providers that
ASK QUESTIONS. Once you know who your outside providers perform payment
processing, or
are and what they do for you, talk to them to understand how they
e-commerce hosting or
protect card data. Use Questions to ask your Vendors to help you processing
know what to ask.
• Service providers that
UNDERSTAND COMMON VENDORS. Review the sidebar to the help you meet PCI DSS
requirement(s) (for
right to understand common types of vendors or service providers
example, providing
you may work with. firewall or antivirus
services)
• Providers of Software as
a Service

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
15
 Cost

Install patches from your vendors Ease

Risk Mitigation

Software can have flaws that are ASK your vendor or service provider how it notifies you of new
discovered after release, caused by security patches, and make sure you receive and read these
mistakes made by programmers when notices.
they wrote the code. These flaws are
also called security holes, bugs or WHICH VENDORS SEND YOU PATCHES? You may get patches
vulnerabilities. Hackers exploit these from vendors of your payment terminal, payment applications,
mistakes to break into your computer and other payment systems (tills, cash registers, PCs, etc.), operating
steal account data. Protect your systems systems (Android, Windows, iOS, etc.), application software
by applying vendor-supplied “patches” (including your web browser), and business software.
to fix coding errors. Timely installation of
security patches is crucial! MAKE SURE your vendors update your payment terminals,
operating systems, etc. so they can support the latest security
It is important that you know how your patches. Ask them.
software is being regularly updated
with patches and who is responsible E-COMMERCE MERCHANTS. Installing patches as soon as
(it could be you!). Also, some patches possible is very important for you too. Also look out for patches
install automatically when they become from your payment service provider. Ask your e-commerce hosting
available. If you’re not sure how patches provider whether they patch your system (and how often). Make
get added or who is responsible, make it sure they update the operating system, e-commerce platform and/
a point to ask your vendor/ supplier. or web application so it can support the latest patches.

FOLLOW your vendor’s/service provider’s instructions and install

those patches as soon as possible.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
16
 Cost

Protect in-house access to your data Ease

Risk Mitigation

Privilege abuse means a person using... ACCESS CONTROL IS ALL IMPORTANT. Set up your system to Consider giving
grant access only based on a “business need-to-know.” As the employees access to
Someone else’s information and details owner, you have access to everything. But most employees can take payments but not
to gain access to systems or data do their job with access only to a subset of data, applications, and
to process refunds, or
that person is not authorized to have to take new bookings/
functions. orders but not to
access to.
access payment card
LIMIT ACCESS to payment systems and unencrypted card data data related to existing
25% OF BREACHES INVOLVE
to only those employees that need access, and only to the data, booking/orders. Some
INTERNAL ACTORS.
applications and functions they need to do their jobs. employees should
have no access at all.
KEEP A LOG. Track all “behind the counter” visitors in your
establishment. Include name, reason for visit, and name of
25% employee that authorized visitor’s access. Keep the log for at least
a year.

SECURELY DISPOSE OF DEVICES. Ask your payment system

vendor or service provider how to securely remove card data
before selling or disposing of payment devices (so data cannot be
recovered).
Verizon 2017
SHARE THIS INFORMATION. Give this guide to your employees,
business partners, and third-party service providers (such as
e-commerce hosting providers) so they know what is expected.

MAKE USER IDS UNIQUE for each person with access to your
payment system whenever possible. This will help you keep track of
who logs in and when, and any changes they make.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
17
 Cost

Don’t give hackers easy access to your systems Ease

Risk Mitigation

HACKERS = THREATS FIND OUT. Ask your payment system vendor or service provider if If your vendor supports
they use remote access to support or access your business systems. or troubleshoots your
One of the easiest ways for hackers to payment system from
get into your system is through people ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote their office (and not
you trust. You need to know how your access programs are always on, or always available by default, from your location)
vendors are accessing your system to meaning the vendor can access your systems remotely all the time they are using the
Internet and remote
make sure it’s not opening up any holes (this also means that hackers can access your systems too since access software to do
for hackers. many vendors use commonly-known passwords for remote access). this.
Reduce your risk – ask your vendor how to disable remote access
Examples of products
when not needed, and how to enable it when your vendor or
your vendor may install
service provider specifically requests it. on your terminal and
use to support you
DISABLE IT WHEN DONE. To protect your business, it’s important
remotely include VNC
that you take a part in managing how and when your vendors can & LogMeIn.
access your systems.
USE STRONG AUTHENTICATION. If you must allow remote
access, require multi-factor authentication and strong cryptography.
ENSURE SERVICE PROVIDERS USE UNIQUE CREDENTIALS. Each
one must use remote access credentials that are unique to your
Multi-factor authentication uses a username business and that are not the same ones used for other customers.
and password plus at least one other factor (like
a smart card, dongle*, or one-time passcode). ASK FOR HELP. Ask your vendor or service provider for
*a handy device that connects to a computer to allow help disabling remote access, or (if your vendor or service
access to wireless, software features, etc. provider needs remote access) for help setting up multi-factor
authentication. See Questions to ask your Vendors to help you
know exactly what to ask them.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
18
 Cost

Use anti-virus software Ease

Risk Mitigation

Hackers write viruses and other malicious INSTALL ANTI-VIRUS SOFTWARE TO PROTECT YOUR PAYMENT
code to exploit software features and SYSTEM. It is easy to install and can be obtained from your local
coding mistakes, so they can break into office supply shop or IT retailer.
your systems and steal card data. Using
up-to-date anti-virus (also called anti- SET THE SOFTWARE TO “AUTOMATIC UPDATE” so you always
malware) software helps to protect your get the most recent protection available.
systems.
GET ADVICE. Ask your IT retailer about products they recommend
for anti-virus/anti-malware protection.

RUN AUTOMATIC SCANS. Schedule regular full system scans,

since your systems may have been infected by new malware that
was released before your anti-virus software was able to detect it.

E-COMMERCE MERCHANTS. Installing anti-virus software is very

important for you too. Ask your service provider(s) whether they
have installed anti-virus software on your system (and how often it
is updated). Make sure they keep the anti-virus software up-to-date
and regularly scan your system for malware.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
19
 Cost

Scan for vulnerabilities and fix issues Ease

Risk Mitigation

New vulnerabilities, security holes, GET ADVICE. Ask your merchant bank if they have partnerships
and bugs are being discovered daily. with any PCI Approved Scanning Vendors (ASVs). Ask your vendors
It’s vital to have your Internet-facing and service providers too.
systems tested regularly to identify these
new risks and address them as soon as TALK TO A PCI ASV. These vendors can help you with tools that
possible. Your Internet-facing systems automatically identify vulnerabilities and misconfigurations in your
(like many payment systems) are the Internet-facing payment systems, e-commerce website, and/or
most vulnerable because they can be networks and provide you with a report if, for example, you need to
easily exploited by criminals, allowing apply a patch. The PCI Council’s list (referenced to the left) can help
them to sneak into your systems. you find a scanning vendor.

SELECT A SCANNER. Contact several PCI ASVs to find one with a

program suitable for your small business.

ADDRESS VULNERABILITIES. Ask your ASV, payment system

vendor or service provider, or merchant bank for help correcting
issues found by scanning.

The PCI Council’s Approved Scanning Vendors

(ASVs) perform external vulnerability scanning
and reporting. See PCI’s List of PCI-Approved
Scanning Vendors

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
20
 Cost

Use secure payment terminals and solutions Ease

Risk Mitigation

A sure way to better protect your USE SECURE PAYMENT TERMINALS AND PIN ENTRY DEVICES. Your customers
business is to use secure payment The PCI Council approves payment terminals that protect PIN enter their personal
solutions and trained professionals to data. Make sure your payment terminal or device is on the List of identification
numbers (PINs) for
help you. Here’s how to choose safe PCI Approved PTS Devices for equipment that provides the best their payment cards
products and make sure they are set up security, and supports “EMV chip.” into your payment
securely. terminal or PIN entry
USE SECURE SOFTWARE. Make sure your payment software is on
device. It is important
the List of PCI Validated Payment Applications.
to use secure devices
USE QUALIFIED PROFESSIONALS. Make sure the person to protect your
installing your payment system does it correctly and securely. customers’ PIN data.
Choose from the List of PCI QIRs to help you. Ask your merchant
bank to help you make the selection.
USE SECURE E-COMMERCE PAYMENT SERVICE PROVIDERS.
If you don’t already, consider using a PCI DSS complaint service
provider to help you securely process your e-commerce payment
transactions, and/or to manage your e-commerce website.
LOOK FOR PCI DSS COMPLIANT SERVICE PROVIDERS. Make
sure your payment service provider is compliant with PCI DSS.
Check Mastercard’s and Visa’s lists to confirm that they are listed:
For PCI payment terminals and
secure card readers that encrypt
MasterCard’s List of Compliant Service Providers
card data, see page 23. Visa’s Global Registry of Service Providers
Visa Europe’s Registered Agents
REFER TO THIS LIST OF VENDOR QUESTIONS. Use Questions to
ask your Vendors to help you know what to ask your vendors and
service providers.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
21
 Cost

Protect your business from the Internet Ease

Risk Mitigation

The Internet is the main highway used ISOLATE USAGE. Don’t use the device or system you take For simple tips on
by data thieves to attack and steal your payments with for anything else. For example, don’t surf the web configuring your
customers’ card data. For this reason, if or check emails or social media from the same device or computer firewall, see PCI
Firewall Basics
your business is on the Internet, anything that you use for payment transactions. When necessary for business
you use for card payments needs extra (for example, updating your business’s social media page), use
protection. another computer and not your payment device for these updates.
A firewall is equipment or software that PROTECT YOUR “VIRTUAL TERMINAL.” If you enter customer
sits between your payment system and payments via a virtual terminal (a web page you access with a
the Internet. It acts as a barrier to keep computer or a tablet), minimize your risk - don’t attach an external
traffic out of your network and systems card reader to it.
that you don’t want and didn’t authorize.
Firewalls are configured (in hardware, PROTECT WI-FI. If your shop offers free Wi-Fi for your customers,
software, or both) with specific criteria to make sure you use another network for your payment system (this is
block or prevent unauthorized access to called “network segmentation”). Ask your network installer for help
a network. Firewalls are often included with safely configuring Wi-Fi.
in the router “box” provided by your
Internet provider. USE A FIREWALL. A properly configured firewall acts as a buffer to
keep hackers and malicious software from getting access to your
payment systems, your e-commerce website, and/or your card
data. Check with your payment terminal vendor or service provider
to make sure you have one and ask them for help configuring it
correctly.

USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when

payment systems are not protected by your business firewall (for
example, when connected to public Wi-Fi).

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
22
 For the best protection, make your data Cost
Ease
useless to criminals Risk Mitigation

Your data is vulnerable when it travels to WORK WITH YOUR PAYMENT SYSTEMS VENDOR OR SERVICE PCI-approved secure
your merchant bank, and when it’s kept PROVIDER. You should encrypt all card data you store or send. card readers and
or stored on your computers and devices. Make sure your payment system is using encryption and/or payment terminals that
encrypt card data do
The best way to keep it safe is to make it tokenization technology. If you are not sure, ask them. it using technology
useless even if it’s stolen by encrypting called “Secure
it whenever you store it or send it, and USE PCI DEVICES THAT ENCRYPT CARD DATA. The Reading and Exchange
removing it altogether when it’s not PCI Council approves payment terminals that protect of Data (SRED)” - ask
needed. While this can be more complex PIN data and payment terminals and “secure card your vendor if your
SEE
to put in place, in the long run, it can readers” that additionally encrypt card data. See the List payment terminal
PAGE 21 encrypts card data
make security much easier to manage. of PCI Approved PTS Devices.
with SRED.
USE SECURE PCI ENCRYPTION SOLUTIONS. Ask whether your E-commerce websites
payment terminal encryption is done via a Point-to-Point Encryption must encrypt card data
solution and is on the PCI Council’s List of PCI P2PE Validated that is sent over the
Solutions. Internet, for example,
using something
ARE YOU A MERCHANT NOW MOVING TO EMV CHIP called transport-layer
security (TLS). Ask your
TERMINALS? This is a great opportunity to make an investment in a
service provider how
terminal that supports EMV and also provides the added security of they encrypt your card
encryption and tokenization. data.

UPGRADE YOUR SOLUTION. Reduce your risk – consider getting

a new payment terminal that uses both encryption and tokenization
What is tokenization? technology to remove the value of card data for hackers.
See page 13 for an explanation.
ASK. See Questions to ask your Vendors for help with questions to
ask your vendor or service provider.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
23
WHERE TO GET HELP
Resources
PCI Council Listings
Resource URL
List of Validated Payment Applications https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement
List of Approved PTS Devices https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
List of Approved Scanning Vendors https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
List of Qualified Integrators / Resellers https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers
List of P2PE Validated Solutions https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

Payment Brand Lists

Resource URL
Lists of Compliant MasterCard’s List of Compliant Service Providers https://www.mastercard.us/en-us/merchants/safety-security/security-
Service Providers recommendations/merchants-need-to-know.html
Visa’s Global Registry of Service Providers http://www.visa.com/splisting/
Visa Europe’s Registered Merchant Agents https://www.visaeurope.com/receiving-payments/security/downloads-and-
resources

PCI DSS and Related Guidance

Resource URL
More about PCI DSS https://www.pcisecuritystandards.org/pci_security/how
PCI DSS Self-Assessment Questionnaires https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
Guide: Skimming Prevention: Overview of https://www.pcisecuritystandards.org/documents/Skimming_Prevention_At-a-Glance_Sept2014.pdf
Best Practices for Merchants

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
25
Resources
Infographics and Videos
Resource URL
Infographic: It’s Time to Change Your https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf
Password
Infographic: Fight Cybercrime by Making https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR.pdf
Stolen Data Worthless to Thieves
Video: Learn Password Security in 2 Minutes https://www.youtube.com/watch?v=FsrOXgZKa7U
Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g
Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords.pdf
Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg
Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching.pdf
Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc
Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access.pdf

PCI Data Security Essentials for Small Merchants and Related Guidance
Resource URL
Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems.pdf
Small Merchant Questions for Vendors https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors.pdf
Small Merchant Glossary https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_Payment_and_Information_Security_
Terms.pdf
Infographic: PCI Firewall Basics https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics.pdf
Evaluation Tool: Acquirer Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers.pdf
Evaluation Tool: Small Merchant Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants.pdf

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
26
Sources and Helpful References

Dept for Culture Media and Sport – Cyber security breaches survey 2017

Ponemon Institute – 2016 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)
(Sponsored by Keeper Security), June 2016

National Cyber Security Centre – Cyber Security Small Business Guide, 2017

Beaming UK – Cyber security breaches cost British Businesses almost £30 billion in 2016, March 2017

Verizon 2017 – Verizon Data Breach Investigations Report

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
27
About the PCI Security Standards Council

The PCI Security Standards Council is a global forum for the industry to come together to PCI SSC FOUNDERS
develop, enhance, disseminate and assist with the understanding of security standards
for payment account security. Read more about PCI SSC’s Global Payment Security
Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_
Global_Payment_Security.pdf
The Council maintains, evolves, and promotes the Payment Card Industry Security
Standards. It also provides critical tools needed for implementation of the standards such
as assessment and scanning qualifications, self-assessment questionnaires, training and
education, and product certification programs.
The Council’s founding members, American Express, Discover Financial Services, JCB
International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security
Standard (PCI DSS) as part of the technical requirements for each of their data security
compliance programs. Each founding member also recognizes the Qualified Security
Assessors and Approved Scanning Vendors qualified by the PCI Security Standards
Council.
All five payment brands, along with Strategic Members, share equally in the Council’s
governance, have equal input into the PCI Security Standards Council and share
responsibility for carrying out the work of the organization. Other industry stakeholders
are encouraged to join the Council as Strategic or Affiliate members and Participating
Organizations to review proposed additions or modifications to the standards. Participating PARTICIPATING
Organizations may include merchants, banks, processors, hardware and software ORGANIZATIONS
developers, and point-of-sale vendors. Merchants, Banks, Processors,
Hardware and Software Developers
This Guide provides supplemental information that does not replace or supersede and Point-of-Sale Vendors
PCI SSC Security Standards or their supporting documents.

Data Security Essentials for Small Merchants: Guide to Safe Payments

Copyright 2018 PCI Security Standards Council, LLC. All Rights Reserved.
28