Friday, Sept. 28, 2018 | 2 a.m.
View more of the Sun's opinion section
This week in Las Vegas, the PCI Security Standards Council is again hosting a community meeting that will bring together some of the world’s foremost experts on payment card cybersecurity. This event will be a gathering place for top cybersecurity experts to share ideas and information, highlight best practices and discuss potential security challenges posed by cybercriminals.
This gathering is especially important for Las Vegas, which plays host to more than 21,000 conventions a year that attract over 6 million attendees. According to the National Restaurant Association, Nevada’s restaurant industry includes more than 5,860 establishments that employ over 209,900 people and generates over $7.2 billion in sales. The industry accounts for 15 percent of jobs statewide, and its projected growth is above the national average.
This robust economic growth attracts cybercriminals. While we have seen news stories about high-profile breaches, local restaurants are also under attack. According to the recent Verizon Data Breach Investigations Report, 61 percent of breached organizations surveyed were small businesses.
Two years ago, the PCI Security Standards Council and the National Restaurant Association worked together along with other stakeholders to create the Small Merchant Taskforce that raises payment card security awareness for smaller businesses.
A 2017 MetLife and U.S. Chamber of Commerce Small Business Index survey found that nearly 60 percent of all small business owners are concerned about cybersecurity threats. Despite those concerns, the same survey found that 59 percent of business owners do not have a contingency plan for how to deal with a data breach. This challenge inspired the PCI Security Standards Council to expand its efforts to help and create resources to educate and empower small merchants.
Small merchants can dramatically improve their security by focusing on priority areas that often leave them vulnerable to attack. We recommend:
Seek out resources
Small merchants need to understand the challenges they face as well as the threats to their payment systems. The Security Standards Council has worked closely with merchants and merchant partners to develop resources to help address the most common causes of data breaches. Those resources can be found at pcisecuritystandards.org/merchants .
Eliminate common threats
According to the Verizon report on data breaches, the overwhelming majority of breaches against businesses are the result of three primary failures: passwords, patching and remote access. The Security Standards Council has developed easy-to-understand resources that address these very vulnerabilities:
• Passwords: According to the Verizon report, 4 out of 5 hacking-related data breaches leveraged stolen and/or weak passwords. It is critical for merchants to change default passwords to strong passwords (difficult to guess) and update them regularly.
• Patching: Software vendors issue patches to fix known vulnerabilities. Merchants must install these patches to prevent criminals from hacking into their system. Identify which third-party vendors send patches and install them as soon as possible. Waiting dramatically increases your risk.
• Remote access: Point-of-sale vendors often use remote access to support merchant payment systems without visiting the business location. But remote access can allow anyone with the proper credential to access your system. Know who has access to your systems and limit the use of remote access. Be sure all third parties have strong, secure credentials.
Education and training
The Security Standards Council has heard the growing concerns from the cybersecurity marketplace about the shortage of cybersecurity professionals in payments. It trains people all over world. In the broader world of cybersecurity, the shortage numbers are even higher. In fact, according to the Desert Research Institute in Reno, there are an estimated 1,633 cybersecurity job openings in Nevada. Getting educated on cybersecurity and staying up to date on the latest threats and trends is the best way to reduce risk and better protect your data.
Cyber threats are not going away, but organizations can fight back by prioritizing data protection and establishing smart practices backed up by vigilance. That is what the community meeting in Las Vegas is all about.
Lance Johnson is executive director of PCI Security Standards Council, and Terry Erdle is chief operating officer for the National Restaurant Association.
