Just as you rely on the retailers you shop with, your customers are depending upon you to protect their sensitive information. As a small business owner, it is your responsibility to take threats to your business systems seriously so that consumer information can be protected. Your customers won’t thank you, because they will never know how you’ve protected them behind the scenes. But the alternative (fines, penalties and lost business) is not worth the risk.
Owners of even the smallest businesses need to understand what happens to each customer’s sensitive data as soon as it leaves the customer’s hands and enters the business’s data processing, storage and transmission systems. As the customer’s information moves through your business processes, it is critical to maintain that data’s security and integrity.
Sensitive data can be financial information, such as credit card numbers, as well as any personally identifiable information (PII) that can be linked to an individual. Be sure to understand and identify all the places within your office environment, business processes and systems that sensitive data is captured, exchanged or stored.
A significant first step to putting security controls in place is assigning individual responsibility and accountability for monitoring and protecting the sensitive data your business handles. We suggest creating a simple spreadsheet that documents the various types of sensitive data your business is handling, its location, and who has responsibility for it. Be sure to review this spreadsheet on a quarterly basis at minimum, to ensure that the information it contains remains current.
One of the easiest steps toward lowering the security risk to your business is to not store sensitive data, period. Examine the spreadsheet you created as part of Best Practice #1 to evaluate where your sensitive data resides. Ask yourself with each line item: Does this information really need to be retained and stored?
The more items you can remove from your spreadsheet (because you aren’t storing the data), the better. If there is a significant business reason for you to store sensitive data, the following steps will help you secure it:
- Limit database access to only those who absolutely need it, giving those parties their own, unique credentials;
- Do not store authentication data for either your employees or your customers; and
- Implement a tokenization solution to enable repeat online customers to securely store and access their payment information.
Again, the best thing you can do for your business is not store cardholder data or PII at all.
Good security incorporates “defense in depth,” or multiple layers of protection. For businesses with an Internet connection, firewalls are a first line of cyber-defense. It is imperative to properly configure your firewall according to the way your business handles data. The issue with “plugging in and forgetting” your business’s firewall is that a poorly configured firewall is only slightly better than no firewall at all.
According to the United States Computer Emergency Readiness Team (US-CERT), the most common configuration mistake is not providing outbound data rules, which can leave the business open to external attack. Protecting your perimeter means checking for any unprotected holes that could allow attackers to gain entry. The most common mistake is a remote access service that has been left up and running with a weak or, even worse, a default user-id and password in place.
If your business utilizes Internet-facing web applications—in particular, an e-commerce site that accepts card payments—you should also utilize a Web Application Firewall (WAF) or have your website reviewed annually (or after any changes). If you don’t have the resources to engage a technical expert to review your site after changes, a WAF is the optimal alternative.
One of the weakest links in the security chain is humans—your employees; therefore, security awareness training is a critical, ongoing requirement for all employees, no matter the size of the business. SMBs should conduct security awareness training on an annual basis and include specific instructions for how employees should handle sensitive information and credit card transactions.
In addition to segmenting the card data environment away from the rest of the network, it’s important to keep commercial grade anti-virus protection resident and current on every machine. Follow your technology vendor’s recommendations for installing and using every patch and service kit released for your systems and applications.
Today, many businesses are outsourcing all or part of their IT infrastructure and credit card processing to service providers, such as shared hosting providers, payment gateways, managed IT services, etc. Unfortunately, few are requiring their third-party service providers to show proof of secure and compliant technologies and internal processes.
A service provider’s inability to properly protect your customer data could implicate your business should a breach occur. Protect yourself by asking for proof of compliance, as well as requesting any other audit reports such as the SAS 70, or its successor, the SSAE 16. These reports are often held by larger companies that store and/or process financial or other critical information on behalf of others.
Download the full white paper, "The 5 Data Security Best Practices for Small Merchants."
Subscribe to this blog for additional tips and webinar announcements.