Ask the security and compliance experts.
PCI Compliance Guide readers regularly ask us questions and we are happy to answer as many as we can. That’s because this site’s (and ControlScan’s) goal is to help make the process simpler and clear up any misinformation by providing actionable, expert advice.
The following question comes from a reader who has received little support in her efforts to comply with the PCI DSS and successfully validate that compliance. The question she asks is an important one, so I am sharing it as well as the answer I provided.
“I have a fairly new business. I just read your PCI Basics/Quick Guide and have some questions. I would be a B-IP type merchant. I have a sandwich shop and I use a card reader via internet. I work with [name of large financial institution] only. It’s a very simple operation and I do not have any computers at the shop.
I’m probably a “low level” merchant because my credit card sales for all 4 cards are only about $1000 per day on average – about 50 swipes/day. I’m trying to complete my PCI [compliance validation] and don’t know if I should purchase a hardware unit as a firewall. I asked [name of PCI compliance vendor], my internet provider, and the bank, and no one can give me an answer. What do you recommend? Please help!”
So, does her sandwich shop need a firewall?
I would absolutely, unequivocally recommend a firewall, and no one in the security business should hesitate for a second to give you that same answer. If you connect your payment terminal directly to the internet without protection, you dramatically increase your risk of being breached.
Your low volume does not lower your risk—it increases it. Bad guys don’t target you specifically, they release automated Bot armies that continuously scour the network looking for unprotected devices. Think of them as swarms of cockroaches. They then look for vulnerabilities in the way the device was configured—things like factory set passwords, weak encryption, non-updated firmware, etc. Once a weakness is found, then they exploit this by collecting credit card information and sending it back to the bad guys, who collect stolen card data for 6-9 months on average before then using those stolen card numbers. By the time the credit card companies spot the breach, you may have lost 10,000 credit card numbers. The average cost of a breach for a small business in the US is $36,000. Credit card data breaches continue to go up every year, and even though you hear about the big ones (Target, Home Depot, Michael’s, CVS/Walgreens, etc), the vast majority of breaches are small businesses like yours.
Additionally, SAQ B-IP requires that you have a firewall and that it is configured to limit traffic to just your credit card processor. If obtaining and configuring a firewall is beyond your means, then most payment terminals also have a dial up option, so you are using a phone line and not the internet. This is a little slower, but dramatically safer and reduces your PCI burden by allowing you to take an SAQ B, which does not require a firewall.
Think of accepting credit cards like your customer handing you the combination to their safe where they keep their money and asking you to just take what is needed for the transaction. When you let the bad guys see that combination, you open your customers up to a world of hurt, if their safe is broken into. Yes, the banks insure them, but the pain of trying to recover from that is large. Now multiply that by 10,000. Believe me, it is worth the trouble of obtaining and configuring a firewall, or going back to the much safer dial up.
Now, the company that sold you that payment terminal will likely tell you it is safe. And maybe it is today. But to use a different metaphor, when you live in Minnesota, you don’t put on just one layer before you go outside in the winter.
Check out our free white paper, “5 Critical IT Challenges You Can Solve Today”. ControlScan has firewall options that are both economical and easy to manage. Subscribe to this blog for additional tips and webinar announcements.