- It’s there for a reason. As the Target and many other data breaches have shown, there’s a huge underground market for stolen credit and debit card numbers. Crooks will go to great lengths to get these numbers, and the resulting breaches can be very costly. Even more important, credit card processors worry that more security and data breaches will hurt consumer confidence in using their credit and debit cards, and that’s bad for everyone.
- It’s got teeth and it’s not afraid to bite. PCI is like a guard dog that’s not afraid to turn on its master. It’s ultimately designed to protect you, and in the case of smaller firms, without much effort. But if you ignore PCI, it’s not afraid to bite. Failure to comply can mean penalties, fines, and even the inability to accept credit and debit cards.
- If you accept credit or debit cards, you can’t avoid it. One of the most common misconceptions is that PCI is only for bigger firms, only applies to businesses that process a minimum number of credit card transactions monthly, or that smaller firms are exempt. None of the above are true. If you accept credit cards, even one transaction, then you have to be PCI compliant.
- It’s like a free security plan. While any kind of regulation can seem like an unnecessary burden, PCI should be looked more as free security. The world’s top credit card processors, who between them process the majority of credit card transactions in the world each day, created a free roadmap to help you protect against card breaches. And PCI is not just about protecting credit cards. It’s ultimately about protecting your business, your reputation, customer trust, and your future. Not a bad freebie when you think about it.
- It’s not a security guarantee. The more credit card transactions you process each year, the more complicated PCI can get. The higher the number of transactions, the more rules you have to follow and the more it will cost you. Yet in spite of all the rules, being PCI compliant is no guarantee that you’ll be secure. PCI should be seen as a baseline and a minimum standard, meant to be combined with other layers of protection.
- Expect it to get tougher. With so many breaches, and so much in-depth coverage of them, it’s become apparent that even major organizations with huge investments in security and compliance have still fallen victim to security breaches. That’s led to calls to make PCI even tougher. You can expect that to happen in the next few years.
- Despite #6, it doesn’t have to be hard. For smaller firms, PCI is remarkably easy. Compliance is based around a self-assessment questionnaire. That’s right – you answer some questions and you conduct the assessment yourself. A major focus of compliance is making sure that if you accept payments through your website, your website is secure. Luckily that’s also easy. Firms like SiteLock can manage that process seamlessly and affordably.
Tag: Small business
Oh what a year it was for insecurity, and especially for the small business. It wasn’t as though we didn’t already know – that small businesses were firmly in the crosshairs of hackers of all shades. But early in the year Verizon put the final stamp on it. In its annual Data Breach Investigations Report, published at the beginning of 2013, Verizon revealed that businesses with fewer than 100 employees made up the single largest group of victims of data breaches. That conclusion was supported by other security studies around the same time that found small businesses suffered the most cyber attacks.
Perhaps the single biggest and most dangerous change in threats came in the world of malware delivery. For years, hackers and malware authors had used the same ways to deliver and spread their malware. Email and spam were by far the most popular. It was easy to buy hundreds of millions of email addresses, pack them with phishing messages, and attach a nasty malware payload.
And even if most users didn’t fall for the scam, even a small percentage of hundreds of millions was enough to make the attacks very lucrative for criminals. But as more users got the message, and began to grow more reluctant to open email attachments they weren’t expecting, many thought the malware industry was on its last legs. After all, how else could you get the goods to market?
So hackers had to choose a new way to deliver and spread malware. And they found it in small business websites. Every month, thousands of poorly protected websites are hijacked by hackers who use vulnerabilities in these sites to install malware. That malware is then spread to visitors to those websites, as well as attack other websites, and so continue the spread of malware.
And if you think that simply relying on antivirus software will get you through safely, there’s some more bad news. Some reports have suggested that today’s antivirus software can detect very few of the most dangerous types of malware – the stuff you really want to avoid. And the New York Times can testify to that. Early in 2013, Chinese hackers were easily able to breach the extensive defenses the Times had in place. Out of 45 different types of malware the Chinese used to attack the newspaper, the Times’ own security and virus protection detected only one.
But Chinese hackers weren’t just targeting big businesses like the New York Times. In September, the Huffington Post reported that Chinese hackers were actively targeting small businesses in the U.S., from pizza restaurants to medical clinics.
According to the Huffington Post, “The hackers find computer systems to take over by using tools that scan the web for Internet-connected PCs with software vulnerabilities they can exploit. Small businesses are popular targets because they often have lax security.”
And the year didn’t end too well either. When security researchers discovered more than 2 million stolen passwords on a hacker server in December, a piece of malware called a keylogger was suspected. That very same week, other security researchers found that out of 44 popular antivirus products tested, only one was able to detect a keylogger.
Which probably explains why an estimated $5 billion was siphoned from U.S. bank accounts in 2012 by cybercrooks using malware like keyloggers. And if any of those were business accounts, the business owners were probably on the hook for all the losses.
So safe to say (no pun intended) that 2013 was not a good year for business security, and especially for small business security. And we don’t predict much improvement over the next twelve months. It’s now clear that small businesses are the favorite target for the worst kinds of hackers. Whether it’s to steal your personal and customer information, break into your bank account, or use your website to host a variety of very dangerous malware, your small business may be getting all the wrong attention from all the wrong visitors.
So let’s make 2014 the year you take back your security and peace of mind. Security isn’t hard, no matter how sophisticated hackers and their tools have become. There are plenty of ways you can protect your business and your website, and make it just hard enough for hackers to decide that you’re just not worth the effort and that they should move on to small businesses that are doing little about security. It’s like locking your car and closing the windows while being parked next to a convertible with the top down. The easy target gets attacked first, and you’re at least lower on the radar by showing your security awareness.
If you make just one security choice this year, make it your website. Securing your website is simple and affordable, and yet it’s the single best way to protect your business, your customers, and any visitors to your site. And you’ll also help slow the spread of malware to other users and sites, which is one in the eye for the bad guys.
And remember that as a SiteLock customer you get more than prevention. SiteLock will work with you to address any website security issues that crop up, including malware removal, if any is detected on your site. And as always, our security advice – the best in the business – is always free, and we are here around the clock whenever you need support.
If you’re a frequent reader of this blog, then you’ll know that our expertise and advice goes far beyond just protecting your website. All good security has to be holistic, which is why we offer no-nonsense advice on a variety of security topics that can impact your business, from security policies and planning, to employee education, malware prevention, data privacy and security, and much more.
Our goal for 2014 is to be the best security partner for online businesses. We hope that, even if SiteLock is not your chosen security provider, website security is on your list of goals for 2014 as well.
There is a copious amount of evidence to support the notion that concerns over security, privacy, and trust stifle ecommerce, and continue to keep large numbers of consumers from shopping online as much as they’d like to.
The impact is felt even more by small businesses who constantly struggle to persuade consumers that their websites are a safe place to shop and surf. The customer might not always be right, but at least on this call, they are. Most small business websites, just like most small businesses, are inherently insecure. Consumers sense this, and it has become a barrier to trust.
Website security seals are ultimately about improving two things – trust and sales. And without the first, the second won’t follow. Small businesses with little-known brands always have a tough time persuading new customers that they’re a safe place to do business. And not only that orders will be honored and delivered as promised, but that the site itself is safe. That’s because unsafe sites can be a death-knell for customer trust and confidence, and perhaps even for the business.
Who is visiting my website: Good bots, bad bots, and humans (oh my!)
There are two basic categories of traffic that visit your website – humans and (ro)bots. An invaluable benefit of the TrueShield web application firewall is being able to differentiate, not only between these two basic groups, but also to separate the good bots from the bad. Bots get a bad rap, since most people associate them with cyber attacks. But if it weren’t for the search engines using bots to index your website, your site would never appear in a search and all your SEO efforts would be wasted. These are the good bots, and if your website application firewall is blocking them you could be hurting your online business instead of protecting it. SiteLock ensures that these bots are able to access your site and do their job for you. Knowing more about your visitors also enables you to spend smarter when it comes to marketing dollars, and to provide your advertisers with the most accurate numbers. When it comes to your website traffic (and, well, pretty much everything else in life), knowledge is power.
Ever heard the saying “if you fail to plan then you plan to fail”? This is just as true in security as it is in business, and the lack of a clear plan to protect your business from cyber risks usually results in no real protection at all.
An information or cyber security plan is a very simple and free tool that can have a profound impact on how well your business is protected from cyber threats. A security plan is a short document, often no longer that a few pages, that outlines:
This upcoming Saturday, November 24, 2012, is the second annual Small Business Saturday – a day created to celebrate the success of entrepreneurs across the nation and all that they do for the community. Originally conceived by American Express, the shopping holiday is sandwiched between Black Friday and Cyber Monday and encourages consumers to buy from small, local brick and mortar businesses.
Here at SiteLock, we aid small businesses each day by protecting their online presence and customers’ data. We encourage you to shop at the small businesses in your area this Saturday and support this nationwide effort. Here are some ways that you can participate: