PCI - can cloud help SMBs' card security problems?

Advice Lesley Meall Dec 12, 2012

There's a lot of reluctance by SMBs to adopt PCI, can moving to cloud help? Not necessarily says Lesley Meall

Being able to sell goods and services and take payments online has been a boon to many small and medium-sized businesses and is at the core of the business model of many start-ups.

In the UK alone, 32 million people bought over the internet in 2011, according to the Office for National Statistics (a 4 percent increase on 2010) and the number of online purchases is not expected to fall any time soon. But this increase in ecommerce is not always matched by an appropriate increase in information security.

Tales of hacking, loss of personal information and myriad other data debacles are rarely out of the headlines, and when Barclaycard, Visa and VigiTrust recently got together to survey SMB merchants on their knowledge of the Payment Card Industry Data Security Standards (PCI DSS) the results did not give much cause for optimism.

Money-making scheme?
Matt Martin, senior payment security risk manager at Barclaycard says: “According to the survey, some people struggle to understand what is being asked of them, and some see PCI DSS as a money-making scheme.”

It’s a struggle for many of them. Merchants that do not comply with this data security standard can be held responsible for any losses incurred through fraud and face fines from the acquiring bank or financial institution that they use to processes the payments they take for goods or services.

According to the survey, cost is third on the list of reasons why small merchants struggle with PCI DSS compliance. ‘Time and lack of understanding of the PCI DSS standard came top of the list,’ says Mathieu Gorge, founder and CEO of the security awareness and assessment specialist VigiTrust.

Complexity is an issue. ‘Messages on security need to be conveyed in a way that small merchants can understand. The messages need to be in plain English,’ he suggests.

Chip-and-pin has reduced card fraud but not eliminated it, and criminals are increasingly focusing their efforts on smaller merchants

Small merchants are also increasingly likely to be targeted by criminals. ‘Chip-and-pin has reduced card fraud but not eliminated it, and criminals are increasingly focusing their efforts on smaller merchants,’ says King, with criminals taking a ‘trawl net approach’ across large numbers of smaller merchants because those at the top end have better security – and because cardholder data – the name and the big number – is transmitted in plain text from terminals. ‘It is not encrypted,’ says King. ‘That’s why card not present fraud remains stubbornly high.’

When PCI DSS is correctly implemented it can vastly reduce data security risks. ‘We know from our annual survey that 97 percent of the merchants whose security is breached are organisations that are not PCI compliant, and that these breaches could have been avoided by very simple means such as changing a default password or enabling a firewall,’ says King.

What does it mean, however, when a small business wishes to start using cloud services – who is then responsible for PCI DSS compliance?

The answer to this is not clear. When Ponemon Institute recently examined perceptions and practices surrounding threats and protection issues relating to sensitive or confidential data in the cloud, it found confusion about whether the responsibility for protecting this data rests with the cloud service provider (CSP) or the consumer. 

“Nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data,” says Larry Ponemon, chairman and founder.