PCI council gives up, dumbs down PCI DSS for small business

The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses.

The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS).

Barclaycard payment security manager and taskforce chair Phil Jones says the Small Merchant Taskforce will focus on the most vulnerable business vertical.

"Though incidents of fraud are low, it's small merchants that are particularly vulnerable to attack from hackers," Jones says.

"They usually have very limited resources and technical expertise at their disposal, and often lack the necessary tools, information and education to recover and prevent them.

"Helping these businesses will be a key focus of the taskforce’s efforts."

The taskforce will simplify the PCI DSS process which requires businesses that accept credit card payments protect customer records.

Those requirements increase with the number of credit cards processed. The top end requires encryption, regular independent audits, and isolated networks.

Non-compliant businesses run the risk of having their ability to process credit cards revoked should a breach occur. This is not generally thought to be enforced due to widespread non-compliance.

Small businesses are ripe targets for carders because such organisations often lack the security chops to protect their networks. Remote desktop protocol services the businesses use to log in from home are often protected by lousy passwords that attackers can brute force to gain access.

Popping a large number of small businesses results in significant profits and does not require the highly skilled complexity needed to hack more secure large organisations. ®