1. PCI Payment Protection
Resources for Small Merchants
Carlos Caetano
Associate Regional Director – Brazil at
PCI Security Standards Council

2. Agenda
Background
Resources
Call to Action
What’s Next
Intro

3. Intro

4. What is the PCI Security Standards Council?
Collaboration
Education
Simplified solutions for merchants

5. What does PCI Council Produce?
Standards, Best Practices & Services
Training – Assessors, Acquirers, Integrators
Validation & Qualification – Equipment, Service Providers, Assessors, Investigators
Payment Equipment Payment Software Merchant & Payment Service
Provider Environments

6. What’s this all about?

7. Why?
Small businesses around the world are increasing targets for payment data theft
77% believe that their company is safe from cyber attacks
80% of websites attacked everyday belong to small merchants
Nearly half of global cyberattacks in 2015 were against small businesses
48% of small businesses have been hit by at least one cyber-attack in the
past 12 months
20% see cyber security as a top business priority
10% have never invested in improving the security of their website
54% of SMEs who say they’re concerned their business could be at risk
from an attack

8. Current Threats
SQL Injection
Weak Passwords
Spear Phishing
Malware / Ransomware
Remote Attack Vector
Poor Patching
“No locale, industry or
organization is bulletproof
when it comes to the
compromise of data”
Verizon 2016 DBIR

9. Birth and Rebirth of a Data Breach
Target phishing
campaign against
vendor
Person clicks on email and
malware installation occurs
Keylogger deployed and
client’s environment static
auth credentials stolen
for final target access
Malware installed
directly in final
victm’s POS system
Malware functionalities of scraping
RAM and exporting data, establishment
of control and persistence
Source: Verizon 2016 Data Breach Investigations Report

10. Small Merchant
Task Force

11. PCI Small Merchant Task Force
Objective
Collaborate with the PCI community to address the needs of the small
merchant market segment by providing guidance that:
• Is simple, easy to understand and relevant to the unique needs of small
merchants
• Helps small merchants understand their responsibility for protecting payment
card data and to identify and mitigate areas of risk in their environment
• Provides small merchants with the information needed when assessing their own
environment, working with a QSA, and/or considering a new payment channel,
vendor or service provider

12. Global Participation: Merchants & Merchant Partners
“If the larger merchants
and financial institutions
themselves cannot be
protected from data
breaches, you can imagine
how difficult protection is
for independent small
business owners.”
“An issue that many small
businesses have is that they
do not have the in-house
resources to be experts in
all aspects of running a
business. Small businesses
rely on external expertise to
simplify the complicated.”

13. Meet Mary, Ms. Small Business
• “How do I sell
more wine?”
• “How do I
differentiate
my customers’
experience in
a saturated
market?”
• “How do I find
and keep good
employees?”
• Her bank.
• The 1-800
number on
the sticker
that’s on her
payment
system.
• To understand
why/how she’s
at risk.
• The right
questions to
ask her bank
and her
payment
system vendor
for help.
• Simple steps
she can take.
On her mind Her needsHer dilemma Who she calls
Mary, wine bar owner
• She wants to
do the right
thing for her
customers
and her
business
• BUT, she
doesn’t have
time to
understand
“SSL Rootkits”

14. Content Development Approach
Audience
Simple, not exhaustive
Accessible
Measurable

15. Simplifying Security

16. Simplifying Security
Payment Protection Resources for Small Merchants

17. Simplifying Security
Guide to Safe Payments

18. Simplifying Security
Guide to Safe Payments – Understanding Your Risk

19. Simplifying Security
Guide to Safe Payments – Understanding Your Risk

20. Simplifying Security
Guide to Safe Payments – Protecting Your Business with Security Basics
Cost
Ease
Risk Mitigation

21. Simplifying Security
Guide to Safe Payments – Protecting Your Business with Security Basics

22. Simplifying Security
Guide to Safe Payments – Where to Get Help
Payment Brand List
• List of Compliant Service Providers
PCI DSS and Related Guidance
• More about PCI DSS
• PCI DSS Self-Assessment
Questionnaires
• Guide: Skimming Prevention: Overview
of Best Practices for Merchants
• List of Validated Payment Applications
• List of Approved PTS Devices
• List of Approved Scanning Vendors
• List of Qualified Integrators/Resellers
• List of P2PE Validated Solutions
PCI Council Listings

23. Simplifying Security
Common Payment Systems

24. Simplifying Security
Common Payment Systems

25. Simplifying Security
Common Payment Systems - Example
YES
This IS my setup.
Show me the details.
NO
This IS NOT my setup.
Show me the next step.
BACK
to previous diagram.
Mag Stripe
RISK PROFILE
Chip
TYPE 2 PROTECTIONS
LOWER LOWER

26. Simplifying Security
Common Payment Systems - Example

27. Simplifying Security
E-commerce example
YES
This IS my setup.
Show me the details.
NO
This IS NOT my setup.
Show me the next step.
BACK
to previous diagram.
RISK PROFILE
TYPE 10 PROTECTIONS
LOWER

28. Simplifying Security
E-commerce example

29. Simplifying Security
Questions to Ask Your Vendors

30. Simplifying Security
Glossary of Payment Information Security Terms

31. How Can You Help?

32. Restaurateurs are not technology experts. They are
skilled in culinary arts, general business management
and hospitality. Like many small businesses, they are
reliant on the expertise of others in the cybersecurity
space. In order for small restaurants to thrive in the
digital age, they will need significant help from the
broader technology and security community.
David Matthews, National Restaurant Association,
PCI Small Merchant Taskforce Co-Chair
“ “

33. Call to Action
Visit PCI SSC website
Download
Share
Co-brand
https://www.pcisecuritystandards.org/pci_security/small_merchant
How You Can Help

34. Regional Participant Organizations

35. Participating Organization Benefits
• Advance review of standards and supporting
materials before release, with the opportunity to
provide feedback
• Complimentary attendance at
annual Community Meetings hosted by the
Council
• Substantial training discounts; courses are
offered in instructor-led and eLearning formats
• Nominate and vote for representatives to stand
for election to the Council’s Board of Advisors
• Drive the Special Interest Groups (SIGs) that
provide the Council with understanding and
guidance on particular topics or technologies
769
PCI Council
Participating
Organizations
Join us: www.pcisecuritystandards.org/get_involved/participating_organizations

36. Attend South America Forum and Save
We Need
You!
All attendees of the South
America Forum will receive a
$1,500 savings on a PCI
Participation Organization
membership.
Discount Code will be
provided at event.
Check PCI website for more info on the August 2017 event

37. Get Trained and Ready to Support the Industry
Become a PCI Professional – you’ll be in good company
• Over 2,500 of your colleagues have become
PCIPs - why not join them and show off your PCI
knowledge?
• Get the three-year credential that’s not tied to
your employer.
• When you do, you can show off your professional
status since you’ll be listed on the PCI
website!
https://www.pcisecuritystandards.org/program_training_and_qualification/pci_professional_qualification

38. What’s Next?

39. Based on
feedback,
enhance current
small merchant
materials as
needed
Evaluate and
propose simple-
to-use alternate
validation tools
and/or SAQs
Formalize
communications
strategy and
determine
effectiveness of
dissemination
methods
2016 / 2017 Focus

40. Resources
Check Our
Document Library
for New Resources
www.pcisecuritystandards.org

41. Thank You