Data Security Professional Memo

To complete this assignment, you will need the attached files and the the

Small Merchant Guide to Safe Payments

documentation (click link to download) from the Payment Card Industry Data Security Standards (PCI DSS) organization.

Please read the instructions carefully and ask questions if anything is unclear. You must use the attached template to complete this assignment. The PowerPoint presentation (PDF) Effective Professional Memo Writing provides other essential information to help guide your work on this assignment.

MEMORANDUM

to:	Chief executive, anne arundel County
from:	Your Name
Re:	Enter Subject
dATE:	ENTER DATE

Risk Assessment Summary

This is only placeholder text, be sure to read the Assignment Instructions for specific details about what should be included in this section and the sections that follow.

To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own.

Be sure to remove any placeholder text before submitting your assignment. Do not change font size, type or page margins. Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.

Background

To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own. Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.

Concerns, Standards, Best Practices

To get started right away, just select any placeholder text (such as this) and start typing to replace it with your own.

Example of a second paragraph: Text should be single spaced, with one ‘hard return’ at the end of each paragraph which will add a blank line between paragraphs. There should also be one hard return after the subtitles.

Action Steps

Effective
Professional
Writing: The
Memo

Adapted from a presentation by Xavier de Souza Briggs,

Department of Urban Studies and Planning, MIT

IFSM 201

Licensing Information
This work “Effective Professional Writing: The Memo”, a derivative of Effective Professional Writing: The

Memo, by the Massachusetts Institute of Technology, is licensed under a Creative Commons Attribution-

NonCommercial-

ShareAlike

.0 International License.

“Effective Professional Writing: The Memo” by

UMGC is licensed under a Creative Commons Attribution-NonCommercial-

ShareAlike 4.0 International License.

https://ocw.mit.edu/courses/urban-studies-and-planning/

-201-gateway-planning-action-fall-200

/communication/memo

https://creativecommons.org/licenses/by-nc-sa/4.0/

“To do our work, we all have to read a mass
of papers. Nearly all of them are far too long.
This wastes time, while energy has to be
spent in looking for the essential points.
I ask my colleagues and their staffs to see to

it that their Reports are shorter.”

– WINSTON CHURCHILL, AUGUST

, 1940

– SOURCE (A ONE PAGE READ): CHURCHILL’S “BREVITY” MEMO

https://i.insider.com/

28b05a1d1b02b94fb

02?width=700&format=jpeg&auto=webp

Writing Memos

The context of professional writing

Why write memos?

How to write them?

How to make them better?

The Context

The workplace or field:

◦ Time is precious.

◦ Information has substantive as well as political implications.

The decision-maker as reader:

◦ Busy and distracted (attention “spread thin”), not necessarily patient while you get to the point.

◦ Info needs are varied, unpredictable, fluid.

◦ Decision-maker sometimes offers vague instructions.

Academic vs. professional writing

Differences (when writing concisely)

◦ The academic reader often demands nuance and relevance to established lines of thinking, while the

professional reader wants the “so what’s” for their decision making emphasized (relevance to their

actions).

◦ An academic assignment assumes a small and benevolent audience, but professional documents can be

“leaked,” end up in the hands of unintended readers.

Similarities

◦ Strong essays and strong memos both start with your main ideas, but essays usually build toward

conclusion and synthesis. The memo’s conclusions are usually right up top.

◦ In both, persuasive argument = clear viewpoint + evidence

◦ In both, addressing counter-arguments tends to strengthen your case.

Top mistakes in memos

Content:
◦ off point or off task (major substantive

omissions, given the request);

◦ impolitic (risks political costs if leaked);

◦ inappropriate assumptions as to
background knowledge;

◦ no evidence.

Organization:
◦ important info “buried,”

◦ no summary up top, format confusing,
not “skim-able.”

◦ Sentences long and dense,

◦ headings an after-thought.

Style:
◦ language too academic, too “preachy,”

or too casual;

◦ sentences long and/or dense.

Why write memos?

Professional communication

◦ Efficient

◦ Persuasive

◦ Focused

Two types of memos:

◦ Informational (provide analytic background)

◦ Decision or “action” (analyze issues and also recommend actions)

Consider Your Message in Context

Purpose Audience

Message

Use a Clear Structure

Summary:

◦ Summarize the entire memo

◦ Highlight major points to consider

Background:

◦ State the context

Body:

◦ Prove it, analyze it, address counter arguments (if any)

Conclusion:

◦ Outline Next Steps or Next Questions

Action Memos: Recommend Decisions

Summary:

◦ Summarize the entire memo, clearly, but more importantly, concisely

◦ State the broad recommendation(s)

◦ If the decision-maker reads only this section/paragraph, will he/she know what the situation
is/recommendation(s) is/are (without necessarily knowing specific action steps)

Background:

◦ Provide the context

Body:

◦ Prove it/Analyze it, perhaps with pros/cons by option (if there are multiple options)

Conclusion:

◦ Outline next steps, don’t merely restate recommendation(s)

Tip: Construct a Clear, Concise,
Coherent Argument

In your opening summary, you may use more than one sentence to describe overall goals or

recommendations, however, as an exercise it typically helps to try to state your argument in one

sentence. Expand on the sentence as needed as your construct your opening summary.

Examples:

◦ In order to recreate the organization’s image and reorganize our internal structure in the next 6 months,

we should focus on X, Y and Z.

◦ While the company is in compliance with State of California Privacy laws with respect to X, Y and Z, there

are two areas that still need to be addressed to reach our goal of 100% compliance: A and B.

Professional Memo 1

IFSM 201 Professional Memo

Before you begin this assignment, be sure you have read the Small Merchant Guide to Safe

Payments documentation from the Payment Card Industry Data Security Standards (PCI DSS)

organization. PCI Data Security Standards are established to protect payment account data

throughout the payment lifecycle, and to protect individuals and entities from the criminals who

attempt to steal sensitive data. The PCI Data Security Standard (PCI DSS) applies to all entities

that store, process, and/or transmit cardholder data, including merchants, service providers,

and

financial institutions.

Purpose of this

Assignment

You work as an Information Technology Consultant for the Greater Washington Risk Associates

(GWRA) and have been asked to write a professional memo to one of your clients as a follow-up

to their recent risk assessment (RA). GWRA specializes in enterprise risk management for state

agencies and municipalities. The county of Anne Arundel, Maryland (the client) hired GWRA to

conduct a risk assessment of Odenton, Maryland (a community within the Anne Arundel

County), with a focus on business operations within the municipality.

This assignment specifically addresses the following course outcome to enable you to:

• Identify ethical, security, and privacy considerations in conducting data and information

analysis and selecting and using information technology.

Assignment

Your supervisor has asked that the memo focus on Odenton’s information systems, and

specifically, securing the processes for payments of services. Currently, the Odenton Township

offices accept cash or credit card payment for the services of sanitation (sewer and refuse),

water, and property taxes. Residents can pay either in-person at township offices or over the

phone with a major credit card (American Express, Discover, MasterCard and Visa). Over the

phone payment involves with speaking to an employee and giving the credit card information.

Once payment is received, the Accounting Department is responsible for manually entering it

into the township database system and making daily deposits to the bank.

The purpose of the professional memo is to identify a minimum of three current controls

(e.g., tools, practices, policies) in Odenton Township (either a control specific to Odenton

Township or a control provided by Anne Arundel county) that can be considered best

practices in safe payment/data protection. Furthermore, beyond what measures are

currently in place, you should highlight the need to focus on insider threats and provide a

minimum of three additional recommendations. Below are the findings from the

Risk

Assessment:

• The IT department for Anne Arundel County requires strong passwords for users to

access and use information systems.

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Guide_to_Safe_Payments

Official PCI Security Standards Council Site

Professional Memo 2

• The IT department for Anne Arundel County is meticulous about keeping payment

terminal software, operating systems and other software (including anti-virus software)

updated.

• Assessment of protection from remote access and breaches to the Anne Arundel network:

Odenton Township accesses the database system for the County when updating resident’s

accounts for services. It is not clear whether a secure remote connection (VPN) is

standard policy.

• Assessment of physical security at the Odenton Township hall: the only current form of

physical security are locks on the two outer doors; however, the facility is unlocked

Monday-Friday, 8am-5pm (EST), excluding federal holidays.

• Employee awareness training on data security and secure practices for handling sensitive

data (e.g., credit card information) are not in place.

• The overarching conclusion of the risk assessment was that Odenton Township is not

fully compliant with the PCI Data Security Standards (v3.2).

Note: The Chief Executive for Anne Arundel County has asked for specific attention be paid

to insider threats, citing a recent article about an administrator from San Francisco (see

Resources). Anne Arundel County wants to understand insider threats and ways to mitigate

so that they protect their resident’s personal data as well as the County’s sensitive

information. These are threats to information systems, including malware and insider threats

(negligent or inadvertent users, criminal or malicious insiders, and user credential theft).

Expectations and Format

Using the resources listed below, you are to write a 2-page Professional Informational Memo to

the Chief Executive for Anne Arundel County that addresses the following:

• Risk Assessment Summary: Provide an overview of your concerns from the risk

assessment report. Include broad ‘goal’ of the memo, as a result of the risk assessment,

the broad recommendations. Specific Action Steps will come later. The summary should

be no more than one paragraph.

• Background: Provide a background for your concerns. Briefly highlight why the

concerns are critical to the County of Anne Arundel and Odenton Township. Clearly

state the importance of data security and insider threats when dealing with personal credit

cards. Be sure to establish the magnitude of the problem of insider threats.

• Concerns, Standards, Best Practices: The body of the memo needs to justify your

concerns and clarify standards, based on the resources listed below, at minimum. The

PCI DSS standards are well respected and used globally to protect entities and

individual’s sensitive data. The body of the memo should also highlight three current

controls that are considered best practice; that is, you should highlight the positive,

what is currently in place, based on the risk assessment.

• Action Steps: Provide a conclusion establishing why it is important for Anne Arundel

County to take steps to protect residents and county infrastructure from insider threats

based on your concerns. Recommend a minimum of three (3) practical action steps,

including new security controls, best practices and/or user policies that will mitigate the

concerns in this memo. Be sure to include cost considerations so that the County is

Professional Memo 3

getting the biggest bang for the buck. The expectations are not for you to research and

quote actual costs, but to generalize potential costs. For instance, under the category of

physical security, door locks are typically less expensive than CCTV cameras.

• Be sure to review the PowerPoint presentation (in pdf format) Effective Professional

Memo Writing that accompanies these instructions.

• Use the Professional Memo template that accompanies these instructions.

o Use four section subtitles, in bold.

▪ Risk Assessment Summary

▪

Background

▪ Concerns, Standards, Best Practices

▪ Action Steps

o Do not change the font size or type or page margins.

o Do not include any graphics, images or ‘snips’ of any content from copyrighted

sources. The PCI Standards (PCI DSS) document is copyrighted material.

o Paragraph text should be single spaced with ONE ‘hard return’ (Enter) after each

paragraph and after each section subtitle. Note: Do not create a new ‘paragraph’

after each sentence. A single sentence is not a paragraph.

o ‘Subject’ is the subject of your memo, not the course name or number.

o Be sure to remove any remaining ‘placeholder’ text in the template file before

submitting.

o The length of the template when you download it is NOT the intended length of

the entire memo. Your completed memo should be between 1.5 pages and 2

pages (total document, including the To:/From:/Re:/Subject header).

*Note: the Professional Memo is to be in a MS Word file and all work is to be in the

student’s own words (no direct quotes from external sources or the instructions) *

APA documentation requirements:

• As this is a professional memo, as long as you use resources provided with or linked

from these instructions, APA documentation is NOT required.

• Citing material or resources beyond what is provided here is NOT required.

• However, you should use basic attribution and mention the source of any data, ideas

or policies that you mention, which will help establish the credibility and authority of

the memo.

o For example, mentioning that the Payment Card Industry Data Security

Standards (PCI DSS) identify a certain control as best practice holds more

weight than simply stating the control is a best practice without basic

attribution.

o Mentioning that Wired Magazine reported that a City of San Francisco IT

technician effectively hijacked and locked 60% of the city’s network capacity,

is more effective than saying “I read somewhere that…”

Professional Memo 4

Resources

1. Examples of Security Breaches Due to Insider Threats

San Francisco Admin Charged With Hijacking City’s Network
Microsoft database leaked because of employee negligence

General Electric employees stole trade secrets to gain a business advantage

Former Cisco employee purposely damaged cloud infrastructure

Twitter users scammed because of phished employees

2. PCI DSS Goals:

(source: https://www.pcisecuritystandards.org/merchants/process)

https://www.wired.com/2008/07/sf-city-charged/

https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/?sh=2465e60e4d1b

https://www.fbi.gov/news/stories/two-guilty-in-theft-of-trade-secrets-from-ge-072920

https://www.bankinfosecurity.com/ex-cisco-engineer-pleads-guilty-in-insider-threat-case-a-14917

https://en.wikipedia.org/wiki/2020_Twitter_bitcoin_scam

Maintaining Payment Security

Professional Memo 5

3. References

FBI. (2021). The Insider Threat: An Introduction to Detecting and Deterring an Insider Spy.

https://www.fbi.gov/file-repository/insider_threat_brochure /view

PCI DSS. (2021, Feb. 12). Payment Card Industry Security Standards.

Official PCI Security Standards Council Site

Jingguo Wang, Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis

of attack-proneness of information systems applications. MIS Quarterly, 39(1), 91-A7.

https://search-ebscohost-

com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-

live&scope=site

Professor Messer. (2014). Authorization and access control [Video file]. YouTube.

U.S. DHS. (2021). Insider Threat. https://www.dhs.gov/science-and-technology/cybersecurity-

insider-threat

Wizuda. (2017). Data anonymisation simplified [Video file]. YouTube.

Yuan, S., & Wu, X. (2021). Deep learning for insider threat detection: Review, challenges and

opportunities. Computers & Security. https://doi-

org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221

Keywords: risk assessment, insider threats, data security

Submitting Your Assignment

Submit your document via your Assignment Folder as Microsoft Word document, or a document that can

be ready using MS Word, with your last name included in the filename. Use the Grading Rubric below to
be sure you have covered all aspects of the assignment.

https://www.fbi.gov/file-repository/insider_threat_brochure /view

Official PCI Security Standards Council Site

https://search-ebscohost-com.ezproxy.umgc.edu/login.aspx?direct=true&db=bth&AN=100717560&site=ehost-live&scope=site

https://www.dhs.gov/science-and-technology/cybersecurity-insider-threat

https://doi-org.ezproxy.umgc.edu/10.1016/j.cose.2021.102221

Professional Memo 6

GRADING RUBRIC:

Criteria

Far Above

Standards

Above Standards

Meets Standards

Below Standards

Well Below

Standards

Possible

Points

Summary of

Risk

Assessment

Points

Summary is highly

effective, thorough

and

professional.

12.75 Points

Summary is

effective, thorough

and professional.

10.5 Points

Summary is

somewhat
effective, thorough

and professional.

9 Points

Summary is

lacking.

0-8 Points

Stated

requirements

for this section

are severely

lacking or

absent.

Background

and

Importance

(to the Client)

of Data

Security and

Insider

Threats

10 Points

Discussion of

ba5ckground, data

security and
insider threats is

highly effective,

thorough, and

professional.

8.5 Points

Discussion of

background, data

security and insider
threats is effective,

thorough, and
professional.

7 Points

Discussion of

background, data

security and
insider threats is

somewhat
effective,

thorough, and

professional.

6 Points

Discussion of

background, data

security and
insider threats is

lacking.

0-5 Points

Stated

requirements

for this section
are severely

lacking or
absent.

Concerns,

Standards,

Best Practices:

Justify

Concerns and

Clarify

Standards

15 Points

Discussion of
concerns and

standards is highly
effective,

thorough, and
professional.

12.75 Points

Discussion of
concerns and

standards is
effective, thorough,

and professional.

10.5 Points

Discussion of
concerns and

standards is
somewhat

effective,
thorough, and

professional.

9 Points

Discussion of
concerns or

standards is
lacking.

0-8 Points

Stated
requirements

for this section
are severely

lacking or
absent.

Concerns,

Standards,

Best Practices:

Three current

practices

identified and

justified as

best practice

15 Points

Three highly

relevant current
practices are

offered and
justified as best

practices.

Overall

presentation is

clear, concise, and

professional.

12.75 Points

Section may be

lacking in number
of

recommendations

or relevancy or

justification or

overall

presentation.

10.5 Points

Section is lacking

number of
recommendations

or relevancy or
justification or

overall

presentation.

9 Points

Section is lacking

in two or more of
the following:

number of
recommendations

or relevancy or

justification or
overall

presentation.

0-8 Points

Stated

requirements
for this section

are severely
lacking or

absent.

Professional Memo 7

Action Steps:

Three

recommendati

ons minimum

identified and

justified

including

some

discussion of

cost

considerations

20 Points

Three highly

relevant
recommendations

are offered and
justified, with

effective

discussion of cost

considerations.

Overall
presentation is

clear, concise, and

professional.

17 Points

Section may be

lacking in number
of

recommendations
or relevancy or

justification or a

discussion of cost
considerations or

overall
presentation.

14 Points

Section is lacking

in number of
recommendations

or relevancy or
justification or a

discussion of cost

considerations or
overall

presentation.

12 Points

Section is lacking

in two or more of
the following:

number of
recommendations

or relevancy or

justification or a
discussion of cost

considerations or
overall

presentation.

0-11 Points

Stated

requirements
for this section

are severely
lacking or

absent.

Basic

Attribution

(overall)

10 Points

Overall use of
basic attribution is

highly

effective in
establishing

credibility and
authority.

8.5 Points

Overall use of basic
attribution is

effective in
establishing

credibility and
authority.

7 Points

Overall use of
basic attribution is

partially effective
in establishing

credibility and
authority.

6 Points

Overall use of
basic attribution

is partially
effective in

establishing
credibility and

authority.

Additional basic
attribution may

have been
needed.

0-5 Points

Overall use of
basic

attribution
was minimally

effective or
not used.

Overall

Format:

APA

documentatio

n needed only

if sources

external to the

assignment

are introduced

15 Points

Submission

reflects effective

organization and
sophisticated

writing; follows
instructions

provided; uses

correct structure,

grammar, and

spelling; presented
in a professional

format; any
references used

are appropriately

incorporated and

cited using APA

style.

12.75 Points

Submission reflects

effective

organization and
clear writing;

follows instructions
provided; uses

correct structure,

grammar, and
spelling; presented

in a professional
format; any

references used are
appropriately

incorporated and

cited using APA
style.

10.5 Points

Submission is

adequate, is

somewhat
organized, follows

instructions
provided;

contains

minimal grammar

and/or spelling
errors; and follows

APA style

for any
references and

citations.

9 Points

Submission is not

well organized,

and/or does not
follow

instructions
provided; and/or

contains

grammar and/or
spelling errors;

and/or does not
follow APA style

for any
references and

citations. May

demonstrate
inadequate level

of writing.

0-8 Points

Document is

poorly written

and does not
convey the

necessary
information.

TOTAL
Points

Possible

100

Payment Card Industry Security Standards Council

DATA SECURITY ESSENTIALS FOR SMALL MERCHANTS
A PRODUCT OF THE PAYMENT CARD INDUSTRY SMALL MERCHANT TASK FORCE

Guide to Safe Payments
Version 3.0 • April 2024

Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.
This Guide to Safe Payments is provided by the PCI Security Standards Council (PCI SSC) to inform and educate
merchants and other entities involved in payment card processing. For more information about the PCI SSC and
the standards we manage, please visit www.pcisecuritystandards.org.
The intent of this document is to provide supplemental information, which does not replace or supersede PCI
Standards or their supporting documents.

UNDERSTANDING
YOUR RISK

Understanding your risk

As a small business, you are a prime
target for data thieves.

When your payment card data is
breached, the fallout can strike quickly.
Your customers lose trust in your ability
to protect their personal information.
They take their business elsewhere.
There are potential financial penalties
and damages from lawsuits, and your
business may lose the ability to accept
payment cards. A survey of 1,01

small
and medium businesses found 60% of
those breached close in six months.
(NCSA)

OF BREACHES HIT
SMALLER BUSINESSES

LAST YEAR, UP FROM THE
PREVIOUS YEAR’S 53%

(Verizon 2017)

COST TO UK BUSINESS
DUE TO CYBER SECURITY

BREACHES IN 2016
(Beaming UK)

OF SMALL BUSINESSES
HAVE BEEN BREACHED

IN THE PAST 12 MONTHS.
(Ponemon Institute)

50%

61%

£30 billion

39%
ONLY

OF SMALL FIRMS HAVE FORMAL
POLICIES COVERING CYBER

SECURITY RISKS IN 2017
(Dept for Culture Media and Sport)

4Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

What’s at risk?

WHAT IS PCI DSS?

The Payment Card
Industry Data Security
Standard (PCI DSS)
is a set of security
requirements that can
help small merchants
to protect customer
card data located on
payment cards.

Small merchants
may be familiar with
validating their PCI
DSS compliance via
a Self-Assessment
Questionnaire (SAQ).

For more information
on PCI DSS, see the
Resources at the end
of this guide.

TYPES OF DATA ON A PAYMENT CARD

Chip

PAN

Cardholder
name

Expiration date

Magnetic stripe
(Data on tracks 1 and 2)

Card security code
(American Express)

Card security code
(All other payment brands)

YOUR CUSTOMERS’ CARD DATA IS A GOLD MINE FOR CRIMINALS. DON’T LET THIS HAPPEN TO YOU!
Follow the actions in this guide to protect against data theft.

Examples of payment card data are the primary account number (PAN) and three or four-digit card security
code. The red arrows below point to types of data that require protection.

A PAYMENT SYSTEM includes
the entire process for accepting
card payments. Also called the
cardholder data environment (CDE),
your payment system may include
a payment terminal, an electronic cash register, other devices or systems
connected to a payment terminal (for example, Wi-Fi for connectivity or a
PC used for inventory), and the connections out to a merchant bank. It is
important to use only secure payment terminals and solutions to support
your payment system. See page 22 for more information.

Understanding your payment system: Common payment terms

123423487340
981230630736
034603740987
382929293846
262910304826
454900926344
153784

A PAYMENT TERMINAL is the device used to take
customer card payments via swipe, dip, insert, tap, or
manual entry of the card number. Point-of-sale (or POS)
terminal, credit card machine, PDQ terminal, or EMV/chip-
enabled terminal are also names used to describe these
devices.

ENCRYPTION (or cryptography) makes card data
unreadable to people without special information (called
a key). Cryptography can be used on stored data and data
transmitted over a network. Payment terminals that are part of a
PCI-listed P2PE solution provide merchants the best assurance about
the quality of the encryption. With a PCI-listed P2PE solution, card
data is always entered directly into a PCI-approved payment terminal
with something called “secure reading and exchange of data (SRED)”
enabled. This approach minimizes risk to clear-text card data and
protects merchants against payment-terminal exploits such as
“memory scraping” malware. Any encryption that is not done within a
PCI-listed P2PE should be discussed with your vendor.

Accepting face-to-face card payments from your customers requires special equipment. Depending on where in the world you are
located, equipment used to take payments is called by different names. Here are the types we reference in this document and what
they are commonly called.

A MERCHANT BANK is a bank or financial institution th t
processes credit and/or debit card payments on behalf of
merchants. Acquirer, acquiring bank, and card or payment
processor are also terms for this entity.

An INTEGRATED PAYMENT TERMINAL is a payment
terminal and electronic cash register in one, meaning it
takes payments, registers and calculates transactions, and
prints receipts.

An ELECTRONIC CASH REGISTER (or till) registers and
calculates transactions, and may print out receipts, but it
does not accept customer card payments.

6Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your E-commerce Payment System

An E-COMMERCE WEBSITE houses and presents
your business website and shopping pages to your
customers. The website may be hosted and managed by
you or by a third party hosting provider.

An E-COMMERCE PAYMENT SYSTEM encompasses the entire
process for a customer to select products or services and for
the e-commerce merchant to accept card payments, including a
website with shopping pages and a payment page or form, other
connected devices or systems (for example Wi-Fi or a PC used for
inventory), and connections to the merchant bank (also called a
payment service provider or payment gateway). Depending on
the merchant’s e-commerce payment scenario, an e-commerce
payment system is either wholly outsourced to a third party,
partially managed by the merchant with support from a third party,
or managed exclusively by the merchant.

When you sell products or services online, you are classified as a e-commerce merchant.
Here are some common terms you may see or hear and what they mean.

Your PAYMENT PAGE is the web page or form used to
collect your customer’s payment card data after they
have decided to purchase your product or services.
Handling of card data may be 1) managed exclusively
by the merchant using a shopping cart or payment
application, 2) partially managed by the merchant with
the support of a third party using a variety of methods,
or 3) wholly outsourced to a third party. Most times,
using a wholly outsourced third party is your the safest
option – and it is important to make sure they are a PCI
DSS validated third party.

Your SHOPPING PAGES are the web pages that show
your product or services to your customers, allowing
them to browse and select their purchase, and provide
you with their personal and delivery details. No payment
card data is requested or captured on these pages.

CHECKOUT

PAY NOW

CHECKOUT PAY NOW

MERCHANT
E-COMMERCE
WEBSITE

MERCHANT
SHOPPING
PAGES

INTERNET

MERCHANT

PAYMENT
PAGE

PCI DSS COMPLIANT
THIRD-PARTY

SERVICE PROVIDER

7Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your Petroleum & Fuel System

An ELECTRONIC PAYMENT SERVER (EPS) (may also be part
of the Site Controller) is a software payment application, usually
present in a semi-integrated system, that gives point-of-sale (POS)
systems a way to perform payment transactions in a standard way,
independent of the payment networks providing authorization.
The EPS separates payment from the POS system or outdoor sales
processor (OSP). The EPS manages payment requests from the POS
systems and OSP, card data acquisition from the EMV terminals, and payment
authorizations for all POS systems and the OSP. Generally, all payment
business logic is implemented within the EPS. The POS, OSP, and EMV
terminals are considered “dumb” devices programmed to implement only the
interface to/from the EPS.

A FUEL SITE CONTROLLER is a software application designed
to interface with the various forecourt devices of a fuel station, but
primarily the fuel dispensers. The fuel site controller handles both
physical and logical device control. Typically, it controls the device
states, makes sure unauthorized state changes are prevented, and
ensures processes follow regulations and specifications.

A FUEL ISLAND is the area of a convenience and retail fuel site
where fuel dispensers are physically located. Generally, the fuel
island is part of the site’s forecourt. The fuel island can be either
manned or unmanned. Unmanned fuel islands are often described
as self-service.

A MANAGED NETWORK SERVICE PROVIDER (MNSP) is a service
provider who administers site level network connectivity, failover, on
premise network device configurations, remote connectivity such as
VPN, and/or network security features. The MNSP may be responsible
for maintaining the controls that protect network devices from
misconfiguration, including insecure configuration. These providers
generally have remote access to a site’s network, and thus a compromise of a
MNSP system could lead to a compromise of the cardholder data environment.

A BACK OFFICE PC is a dedicated personal computer used to manage
nonconsumer business operations for a convenience and retail fuel
site. The back office system supports daily operational activities such as
inventory management, price book, product supply, fuel management,
site-level accounting, and daily reporting and journaling.

The FORECOURT is the area where fuel dispensers are present and
accessible to consumers wishing to refuel their vehicle. It is the area
outside the salesroom or the convenience store of a fuel station where
consumers park their vehicles while dispensing fuel.

When you sell petroleum & fuel, you are classified as a
petroleum merchant. Here are some common terms you may
see or hear and what they mean.

A PETROLEUM SYSTEM encompasses the entire process for a consumer to
purchase petroleum either outside at an unattended Fuel Island or inside at a
POS Terminal. POS SYSTEM /

ELECTRONIC CASH
REGISTER

BACK OFFICE PC

PIN PAD NETWORK
SWITCH

ELECTRONIC
PAYMENT

SERVER (EPS)

FIREWALL /
MNSP

INTERNETINTERNET

INTERNET

MNSP
PROCESSOR /

ACQUIRER

FUEL SITE CONTROLLER

CONVENIENCE STORE

FUEL ISLAND
located on

the Forecourt

8Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

How is your business at risk?

How do you sell your
goods or services?
There are three main
ways:

1. A person walks
into your shop and
makes a purchase
with their card.

2. A person visits
your website and
pays online.

3. A person calls your
shop and provides
card details over
the phone, or
sends the details
in the mail or via
fax.

The more features your payment system has, the more complex it is to secure.

Think carefully about whether you really need extra features such as Wi-Fi, remote access software, Internet-
connected cameras, or call recording systems for your business. If not properly configu ed and managed, each of
these features can provide criminals with easy access to your customers’ payment card data.
If you are an e-commerce merchant, it is very important to understand how or if payment data is captured on your
website. In most cases, using a wholly outsourced third party to capture and process payments is the safest option.

HARDER TO REDUCE RISK

COMPLEX ENVIRONMENT

EASIER TO REDUCE RISK

SIMPLE ENVIRONMENT

9Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

Understanding your risk: Payment system types

Use the Common Payment Systems to help you identify
what type of payment system you use, your risk, and the
recommended security tips as a starting point for conversations
with your merchant bank and vendor partners.

Your security risks vary greatly depending on the complexity of your payment system, whether face-to-face or online.

TYPE RISK PROFILE

123423487340
981230630736
034603740987
382929293846
262910304826
454900926344
153784

LOWER

Dial-up payment terminal
Payments sent via phone line1

TYPE

Dial-up payment terminal
shows it is dialing for each
transaction

The payment terminal is
connected to bank by a
dial-up telephone line

PHONE LINE

Paper documents
with card data

For this scenario, risks to card data are present at above. Risks explained on next page.

DIAL-UP PAYMENT
TERMINAL

TYPE RISK PROFILE

Payment terminal connects to electronic cash
register, with additional connected equipment.
Payments sent via Internet.9 HIGHER

ELECTRONIC
CASH REGISTER

CAMERAS

IP PHONES

ROUTER/
FIREWALL

INTERNET

GENERAL USE
COMPUTERS

PAYMENT TERMINAL

Card data can be
entered on electronic
cash register or
payment terminal

Merchant might also use Wi-Fi
capability in addition to wired
networking, and/or may offer Wi-Fi for
customer use

For this scenario, risks to card data are present at above. Risks explained on next page.
There are many risk points here due to numerous systems connected to the Internet and to
payment terminals. Each system has to be configured and managed properly to minimize risk.

CHECKOUT PAY NOW

Complex payment system for in-shop purchases, with Wi-Fi,
cameras, Internet phones, and other attached

systems

Simple payment system for in-shop purchases

Complex e-commerce payment system for online shop purchases,
with merchant managing their own website and payment page

10Data Security Essentials for Small Merchants: Guide to Safe Payments
Copyright 2024 PCI Security Standards Council, LLC. All Rights Reserved.

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems

PROTECT YOUR
BUSINESS WITH THESE

SECURITY BASICS

How do you protect your business?

These security basics are organized from easiest and least costly to implement to those that are more complex and costly to implement. The amount of risk
reduction that each provides to small merchants is also indicated in the “Risk Mitigation” column.

The good news is, you can start protecting your business today with these security basics:

Use strong passwords
and change default

ones

Cost

Ease

Risk Mitigation

Don’t give hackers
easy access to your

systems

Cost

Ease

Risk Mitigation

Use anti-virus
software

Cost

Ease

Risk Mitigation

Scan for vulnerabilities
and fix issues

Cost

Ease

Risk Mitigation

Use secure payment
terminals and

solutions

Cost

Ease

Risk Mitigation

Protect your business
from the Internet

Cost

Ease

Risk Mitigation

For the best protection,
make your data useless

to criminals

Cost

Ease

Risk Mitigation

Protect your card data
and only store what

you need

Cost

Ease

Risk Mitigation

Inspect payment
terminals for
tampering

Cost

Ease

Risk Mitigation

Install patches from
your vendors

Cost

Ease

Risk Mitigation

Use trusted business
partners and know

how to contact them

Cost

Ease

Risk Mitigation

Protect in-house
access to your

card data

Cost

Ease

Risk Mitigation

Use strong passwords and change default ones

CHANGE YOUR PASSWORDS REGULARLY. Treat your passwords
like a toothbrush. Don’t let anyone else use them and get new ones
every three months.

TALK TO YOUR SERVICE PROVIDERS. Ask your vendors or service
providers about default passwords and how to change them.
Then do it! Also, if your service provider manages passwords for
your systems, ask them if they’ve changed those vendor default
passwords.

MAKE THEM HARD TO GUESS. The most common passwords are
“password” and “123456.” Hackers try easily-guessed passwords
because they’re used by half of all people. A strong password has
seven or more characters and a combination of upper and lower
case letters, numbers, and symbols (like !@#MAKE THEM HARD TO GUESS. The most common passwords are
“password” and “123456.” Hackers try easily-guessed passwords
because they’re used by half of all people. A strong password has
seven or more characters and a combination of upper and lower
case letters, numbers, and symbols (like !@#$&*). A phrase can
also be a strong password (and may be easier to remember), like
“B1gMac&frieS.”
*). A phrase can
also be a strong password (and may be easier to remember), like
“B1gMac&frieS.”

DON’T SHARE. Insist on each employee having their own login IDs
and passwords – never share!

65%
Ponemon Institute

of SMBs that have a password
policy do not strictly enforce it

Cost

Ease

Risk Mitigation

TYPICAL DEFAULT
PASSWORDS THAT
MUST BE CHANGED:

[none]

[name of product/
vendor]

1234 or 4321

access

admin

anonymous

company name

database

guest

manager

pass

password

root

secret

sysadmin

user

Your passwords are vital for
computer and card data security.
Just like a lock on your door
protects physical property, a
password helps protect your
business data. Also be aware that
computer equipment and software
out of the box (including your
payment terminal) often come with
default (preset) passwords such
as “password” or “admin,” which
are commonly known by hackers
and are a frequent source of small
merchant breaches.

INFOGRAPHIC
It’s Time to Change
Your Password

VIDEO
Learn Password Security in 2
Minutes

For more about password security, see these resources on the
PCI Council website:

https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic

https://www.youtube.com/watch?v=FsrOXgZKa7Uleft

Protect card data and only store what you need

ASK AN EXPERT. Ask your payment terminal vendor, service
provider, or merchant bank where (or if) your systems store data
and if you can simplify how you process payments. Also ask
how to conduct specific t ansactions (for example, for recurring
payments) without storing the card’s security code.

OUTSOURCE. The best way to protect against data breaches
is not to store card data at all. Consider outsourcing your
card processing to a PCI DSS compliant service provider. See
Resources on page 26 for lists of compliant service providers.

IF YOU DON’T NEED CARD DATA, DON’T STORE IT.
Securely destroy/shred card data you don’t need. If you need to
keep paper with sensitive card data, mark through the data with
a thick, black marker until it is unreadable and secure the paper
in a locked drawer or safe that only a few people have access to.

LIMIT RISK. Rather than accepting payment details via email, ask
customers to provide it via phone, fax, or regular mail.

TOKENIZE OR ENCRYPT. Ask your merchant bank
if you REALLY need to store that card data. If you do,
ask your merchant bank or service provider about
encryption or tokenization technologies that make
card data useless even if stolen.

SEE
PAGE 24

Cost

Ease

Risk Mitigation

ENCRYPTION PRIMER

Cryptography uses a
mathematical formula
to render plaintext
unreadable to people
without special
knowledge (called a key).
Cryptography is applied
to stored data as well as
data transmitted over a
network.

ENCRYPTION changes
plaintext into cyphertext.

DECRYPTION changes
cyphertext back into
plaintext.

For example:

It’s impossible to protect card data
if you don’t know where it is.

What can you do?

Another place to consider whether you are storing payment
data is in emails. If you receive card details via email, you
can still process the transaction, but delete the email
immediately and then let the sender know how you prefer
to receive cardholder data (and that email is not the best
way to send it). Do not simply reply using the original email
from your customer. Instead delete the card details from
the reply email, otherwise you are further exposing the card
data via storing the original email, the sent email, etc.

Tokenization has a similar goal to encryption but works
differently. It substitutes card data with meaningless data
(a “token”) that has no value to a hacker. Merchants can
use tokens to submit subsequent transactions, process a
refund, etc. without needing to store the actual payment
card details. The token is used by your payment processor
to look up the card details, which they store instead of you.

ENCRYPTION KEY

DECRYPTION KEY

Inspect payment terminals for tampering

Be vigilant and follow these steps:

KEEP A LIST of all payment terminals and take pictures (front, back,
cords, and connections) so you know what they are supposed to
look like.

LOOK FOR OBVIOUS SIGNS of tampering, such as broken seals
over access cover plates or screws, odd/different cabling, or new
devices or features you don’t recognize. The Council’s guide
(referenced below) can help.

PROTECT TERMINALS. Keep them out of customers’ reach when
not in use and restrict public viewing of the screens. Make sure
your payment terminals are secure before you close your shop for
the day, including any devices that read your customers’ payment
cards or accept their personal identific tion numbers (PINs).

CONTROL REPAIRS. Only allow payment terminal repairs from
authorized repair personnel, and only if you are expecting them.
Tell your staff too. Monitor any third-parties with physical access to
your payment terminals, even if they are there for another reason,
to make sure they don’t modify your payment terminals.

CALL your payment terminal vendor or merchant bank
immediately if you suspect anything!

Cost

Ease

Risk Mitigation

“Skimming devices” sweep up your
customers’ card data as it enters a
payment terminal. It’s vital that you and
your staff know how to spot a skimming
device, what your payment terminals
should look like, and how many you
have. You need to regularly check your
payment terminals to make sure they
have not been tampered with. If there
is any suspicion that a terminal has been
tampered with, DO NOT USE it, and
report this immediately to your merchant
bank and/or terminal vendor.

See the PCI Council’s guide: Skimming
Prevention – Overview of Best Practices for
Merchants

https://www.pcisecuritystandards.org/documents/Skimming_Prevention_At-a-Glance_Sept2014

Use trusted business partners and know how to
contact them

COMMON VENDORS

Refer to the table
in the Questions to ask your
Vendors for more details
about these common
vendors:

• Payment terminal
vendors

• Payment application
vendors

• Payment system installers
(called Integrators/
Resellers)

• Service providers that
perform payment
processing, or
e-commerce hosting or
processing

• Service providers that
help you meet PCI DSS
requirement(s) (for
example, providing
fi ewall or antivirus
services)

• Providers of Software as
a Service

KNOW WHO TO CALL. Who is your merchant bank? Who else
helps you process payments? Who did you buy your payment
device/software from and who installed it for you? Who are your
service providers?

KEEP A LIST. Now that you know who to call, keep company and
contact names, phone numbers, website addresses, and other
contact details where you can easily find them in an eme gency.

CONFIRM THE SECURITY OF YOUR SERVICE PROVIDERS.
Is your service provider adhering to PCI DSS requirements? For
e-commerce merchants, it is important that your payment service
provider is PCI DSS compliant too! See Resources on page 26 for
lists of compliant service providers.

ASK QUESTIONS. Once you know who your outside providers
are and what they do for you, talk to them to understand how they
protect card data. Use Questions to ask your Vendors to help you
know what to ask.

UNDERSTAND COMMON VENDORS. Review the sidebar to the
right to understand common types of vendors or service providers
you may work with.

Cost

Ease

Risk Mitigation

You use outside providers for
payment-related services, devices
and applications. You may also
have service providers that you
share card data with, that support
or manage your payment systems,
or that you give access to card data.
You may call them processors,
vendors, third parties, or service
providers. All of these impact your
ability to protect your card data, so
it’s critical you know who they are
and what security questions to ask
them.

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors

Install patches from your vendors
Cost

Ease

Risk Mitigation

ASK your vendor or service provider how it notifies you o new
security patches, and make sure you receive and read these
notices.

WHICH VENDORS SEND YOU PATCHES? You may get patches
from vendors of your payment terminal, payment applications,
other payment systems (tills, cash registers, PCs, etc.), operating
systems (Android, Windows, iOS, etc.), application software
(including your web browser), and business software.

MAKE SURE your vendors update your payment terminals,
operating systems, etc. so they can support the latest security
patches. Ask them.

E-COMMERCE MERCHANTS. Installing patches as soon as
possible is very important for you too. Also look out for patches
from your payment service provider. Ask your e-commerce hosting
provider whether they patch your system (and how often). Make
sure they update the operating system, e-commerce platform and/
or web application so it can support the latest patches.

FOLLOW your vendor’s/service provider’s instructions and install
those patches as soon as possible.

Software can have flaws that are
discovered after release, caused
by mistakes made by programmers
when they wrote the code. These
flaws are also called security holes,
bugs or vulnerabilities. Hackers
exploit these mistakes to break
into your computer and steal
account data. Protect your systems
by applying vendor-supplied
“patches” to fix coding errors. Timely
installation of security patches is
crucial!

It is important that you know how
your software is being regularly
updated with patches and who is
responsible (it could be you!). Also,
some patches install automatically
when they become available. If
you’re not sure how patches get
added or who is responsible, make it
a point to ask your vendor/ supplier.

Protect in-house access to your data

ACCESS CONTROL IS ALL IMPORTANT. Set up your system to
grant access only based on a “business need-to-know.” As the
owner, you have access to everything. But most employees can
do their job with access only to a subset of data, applications, and
functions.

LIMIT ACCESS to payment systems and unencrypted card data
to only those employees that need access, and only to the data,
applications and functions they need to do their jobs.

KEEP A LOG. Track all “behind the counter” visitors in your
establishment. Include name, reason for visit, and name of
employee that authorized visitor’s access. Keep the log for at least
a year.

SECURELY DISPOSE OF DEVICES. Ask your payment system
vendor or service provider how to securely remove card data
before selling or disposing of payment devices (so data cannot be
recovered).

SHARE THIS INFORMATION. Give this guide to your employees,
business partners, and third-party service providers (such as
e-commerce hosting providers) so they know what is expected.

MAKE USER IDS UNIQUE for each person with access to your
payment system whenever possible. This will help you keep track of
who logs in and when, and any changes they make.

Cost

Ease

Risk Mitigation

Consider giving
employees access to
take payments but not
to process refunds, or
to take new bookings/
orders but not to
access payment card
data related to existing
booking/orders. Some
employees should
have no access at all.

Verizon 2017

25%

Privilege abuse means a person using…

Someone else’s information and details
to gain access to systems or data
that person is not authorized to have
access to.

25% OF BREACHES INVOLVE
INTERNAL ACTORS.

Don’t give hackers easy access to your systems

If your vendor supports
or troubleshoots your
payment system from
their office (and not
from your location)
they are using the
Internet and remote
access software to do
this.

Examples of products
your vendor may install
on your terminal and
use to support you
remotely include VNC
& LogMeIn.

Cost

Ease

Risk Mitigation

FIND OUT. Ask your payment system vendor or service provider if
they use remote access to support or access your business systems.

ASK HOW TO LIMIT USE OF REMOTE ACCESS. Many remote
access programs are always on, or always available by default,
meaning the vendor can access your systems remotely all the time
(this also means that hackers can access your systems too since
many vendors use commonly-known passwords for remote access).
Reduce your risk – ask your vendor how to disable remote access
when not needed, and how to enable it when your vendor or
service provider specifically equests it.

DISABLE IT WHEN DONE. To protect your business, it’s important
that you take a part in managing how and when your vendors can
access your systems.

USE STRONG AUTHENTICATION. If you must allow remote
access, require multi-factor authentication and strong cryptography.

ENSURE SERVICE PROVIDERS USE UNIQUE CREDENTIALS. Each
one must use remote access credentials that are unique to your
business and that are not the same ones used for other customers.

ASK FOR HELP. Ask your vendor or service provider for
help disabling remote access, or (if your vendor or service
provider needs remote access) for help setting up multi-factor
authentication. See Questions to ask your Vendors to help you
know exactly what to ask them.

HACKERS = THREATS

One of the easiest ways for hackers to
get into your system is through people
you trust. You need to know how your
vendors are accessing your system to
make sure it’s not opening up any holes
for hackers.

Multi-factor authentication uses a username
and password plus at least one other factor (like
a smart card, dongle*, or one-time passcode).
*a handy device that connects to a computer to allow
access to wireless, software features, etc.

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors

Use anti-virus software

INSTALL ANTI-VIRUS SOFTWARE TO PROTECT YOUR PAYMENT
SYSTEM. It is easy to install and can be obtained from your local
office supply shop or I retailer.

SET THE SOFTWARE TO “AUTOMATIC UPDATE” so you always
get the most recent protection available.

GET ADVICE. Ask your IT retailer about products they recommend
for anti-virus/anti-malware protection.

RUN AUTOMATIC SCANS. Schedule regular full system scans,
since your systems may have been infected by new malware that
was released before your anti-virus software was able to detect it.

E-COMMERCE MERCHANTS. Installing anti-virus software is very
important for you too. Ask your service provider(s) whether they
have installed anti-virus software on your system (and how often it
is updated). Make sure they keep the anti-virus software up-to-date
and regularly scan your system for malware.

Cost

Ease

Risk Mitigation

Hackers write viruses and other malicious
code to exploit software features and
coding mistakes, so they can break into
your systems and steal card data. Using
up-to-date anti-virus (also called anti-
malware) software helps to protect your
systems.

Scan for vulnerabilities and fix issues

GET ADVICE. Ask your merchant bank if they have partnerships
with any PCI Approved Scanning Vendors (ASVs). Ask your vendors
and service providers too.

TALK TO A PCI ASV. These vendors can help you with tools that
automatically identify vulnerabilities and misconfigu ations in your
Internet-facing payment systems, e-commerce website, and/or
networks and provide you with a report if, for example, you need to
apply a patch. The PCI Council’s list (referenced to the left) can help
you find a scanning vendo .

SELECT A SCANNER. Contact several PCI ASVs to find one with a
program suitable for your small business.

ADDRESS VULNERABILITIES. Ask your ASV, payment system
vendor or service provider, or merchant bank for help correcting
issues found by scanning.

Cost

Ease

Risk Mitigation

The PCI Council’s Approved Scanning Vendors
(ASVs) perform external vulnerability scanning
and reporting. See PCI’s List of PCI-Approved
Scanning Vendors

New vulnerabilities, security holes,
and bugs are being discovered daily.
It’s vital to have your Internet-facing
systems tested regularly to identify these
new risks and address them as soon as
possible. Your Internet-facing systems
(like many payment systems) are the
most vulnerable because they can be
easily exploited by criminals, allowing
them to sneak into your systems.

https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

Use secure payment terminals and solutions

USE SECURE PAYMENT TERMINALS AND PIN ENTRY DEVICES.
The PCI Council approves payment terminals that protect PIN
data. Make sure your payment terminal or device is on the List of
PCI Approved PTS Devices for equipment that provides the best
security, and supports “EMV chip.”
USE SECURE SOFTWARE. Make sure your payment software is on
the List of PCI Validated Payment Applications.
USE QUALIFIED PROFESSIONALS. Make sure the person
installing your payment system does it correctly and securely.
Choose from the List of PCI QIRs to help you. Ask your merchant
bank to help you make the selection.
USE SECURE E-COMMERCE PAYMENT SERVICE PROVIDERS.
If you don’t already, consider using a PCI DSS complaint service
provider to help you securely process your e-commerce payment
transactions, and/or to manage your e-commerce website.
LOOK FOR PCI DSS COMPLIANT SERVICE PROVIDERS. Make
sure your payment service provider is compliant with PCI DSS.
Check Mastercard’s and Visa’s lists to confirm th t they are listed:
MasterCard’s List of Compliant Service Providers
Visa’s Global Registry of Service Providers
Visa Europe’s Registered Agents
REFER TO THIS LIST OF VENDOR QUESTIONS. Use Questions to
ask your Vendors to help you know what to ask your vendors and
service providers.

Cost

Ease

Risk Mitigation

Your customers
enter their personal
identific tion
numbers (PINs) for
their payment cards
into your payment
terminal or PIN entry
device. It is important
to use secure devices
to protect your
customers’ PIN data.

A sure way to better protect your
business is to use secure payment
solutions and trained professionals to
help you. Here’s how to choose safe
products and make sure they are set up
securely.

For PCI payment terminals and
secure card readers that encrypt
card data, see page 24.

https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices

https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement

Qualified Integrators and Resellers

https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html

http://www.visa.com/splisting/

https://www.visaeurope.com/receiving-payments/security/downloads-and-resources

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors

Protect your business from the Internet

ISOLATE USAGE. Don’t use the device or system you take
payments with for anything else. For example, don’t surf the web
or check emails or social media from the same device or computer
that you use for payment transactions. When necessary for business
(for example, updating your business’s social media page), use
another computer and not your payment device for these updates.

PROTECT YOUR “VIRTUAL TERMINAL.” If you enter customer
payments via a virtual terminal (a web page you access with a
computer or a tablet), minimize your risk – don’t attach an external
card reader to it.

PROTECT WI-FI. If your shop offers free Wi-Fi for your customers,
make sure you use another network for your payment system (this is
called “network segmentation”). Ask your network installer for help
with safely configuring Wi-Fi.

USE A FIREWALL. A properly configu ed fi ewall acts as a buffer to
keep hackers and malicious software from getting access to your
payment systems, your e-commerce website, and/or your card
data. Check with your payment terminal vendor or service provider
to make sure you have one and ask them for help configuring it
correctly.

USE PERSONAL FIREWALL SOFTWARE OR EQUIVALENT when
payment systems are not protected by your business fi ewall (for
example, when connected to public Wi-Fi).

Cost

Ease

Risk Mitigation

The Internet is the main highway
used by data thieves to attack and
steal your customers’ card data. For
this reason, if your business is on the
Internet, anything you use for card
payments needs extra protection.

A firewall is equipment or software
that sits between your payment
system and the Internet. It acts
as a barrier to keep traffic out of
your network and systems that you
don’t want and didn’t authorize.
Firewalls are configured (in
hardware, software, or both) with
specific criteria to block or prevent
unauthorized access to a network.
Firewalls are often included in the
router “box” provided by your
Internet provider.

For simple tips on
configuring your
fi ewall, see PCI
Firewall Basics

Cost

Ease

Risk Mitigation

For the best protection, make your data
useless to criminals

WORK WITH YOUR PAYMENT SYSTEMS VENDOR OR SERVICE
PROVIDER. You should encrypt all card data you store or send.
Make sure your payment system is using encryption and/or
tokenization technology. If you are not sure, ask them.

USE PCI DEVICES THAT ENCRYPT CARD DATA. The
PCI Council approves payment terminals that protect
PIN data and payment terminals and “secure card
readers” that additionally encrypt card data. See the List
of PCI Approved PTS Devices.

USE SECURE PCI ENCRYPTION SOLUTIONS. Ask whether your
payment terminal encryption is done via a Point-to-Point Encryption
solution and is on the PCI Council’s List of PCI P2PE Validated
Solutions.

ARE YOU A MERCHANT NOW MOVING TO EMV CHIP
TERMINALS? This is a great opportunity to make an investment in a
terminal that supports EMV and also provides the added security of
encryption and tokenization.

UPGRADE YOUR SOLUTION. Reduce your risk – consider getting
a new payment terminal that uses both encryption and tokenization
technology to remove the value of card data for hackers.

ASK. See Questions to ask your Vendors for help with questions to
ask your vendor or service provider.

SEE
PAGE 22

PCI-approved secure
card readers and
payment terminals that
encrypt card data do
it using technology
called “Secure
Reading and Exchange
of Data (SRED)” – ask
your vendor if your
payment terminal
encrypts card data
with SRED.

E-commerce websites
must encrypt card data
that is sent over the
Internet, for example,
using something
called transport-layer
security (TLS). Ask your
service provider how
they encrypt your card
data.

Your data is vulnerable when it
travels to your merchant bank,
and when it’s kept or stored on
your computers and devices.
The best way to keep it safe is to
make it useless even if it’s stolen
by encrypting it whenever you
store it or send it, and removing it
altogether when it’s not needed.
While this can be more complex
to put in place, in the long run, it
can make security much easier to
manage.

What is tokenization?
See page 14 for an explanation.

https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices

https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors

WHERE TO GET HELP

Resources

PCI Council Listings
Resource URL
List of Validated Payment Applications https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement
List of Approved PTS Devices https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices
List of Approved Scanning Vendors https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors
List of Qualified Integrators / Resellers https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers
List of P2PE Validated Solutions https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

Payment Brand Lists
Resource URL
Lists of Compliant
Service Providers

MasterCard’s List of Compliant Service Providers https://www.mastercard.us/en-us/merchants/safety-security/security-
recommendations/merchants-need-to-know.html

Visa’s Global Registry of Service Providers http://www.visa.com/splisting/

Visa Europe’s Registered Merchant Agents https://www.visaeurope.com/receiving-payments/security/downloads-and-
resources

PCI DSS and Related Guidance
Resource URL
More about PCI DSS https://www.pcisecuritystandards.org/pci_security/how
PCI DSS Self-Assessment Questionnaires https://www.pcisecuritystandards.org/pci_security/completing_self_assessment
Guide: Skimming Prevention: Overview of
Best Practices for Merchants

https://www.pcisecuritystandards.org/documents/Skimming_Prevention_At-a-Glance_Sept2014

https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement

https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices

https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

Qualified Integrators and Resellers

https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_solutions

https://www.mastercard.us/en-us/merchants/safety-security/security-recommendations/merchants-need-to-know.html

http://www.visa.com/splisting/

https://www.visaeurope.com/receiving-payments/security/downloads-and-resources

https://www.pcisecuritystandards.org/pci_security/how

https://www.pcisecuritystandards.org/pci_security/completing_self_assessment

Resources

Infographics and Videos
Resource URL
Infographic: It’s Time to Change Your
Password

https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic

Infographic: Fight Cybercrime by Making
Stolen Data Worthless to Thieves

https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR

Video: Passwords https://www.youtube.com/watch?v=dNVQk65KL8g
Infographic: Passwords https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords
Video: Patching https://www.youtube.com/watch?v=0NGz1mGO3Jg
Infographic: Patching https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching
Video: Remote Access https://www.youtube.com/watch?v=MxgSNFgvAVc
Infographic: Remote Access https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access

PCI Data Security Essentials for Small Merchants and Related Guidance
Resource URL
Common Payment Systems https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems
Small Merchant Questions for Vendors https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors
Small Merchant Glossary https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_Payment_and_Information_Security_

Terms
Infographic: PCI Firewall Basics https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics
Evaluation Tool: Acquirer Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers
Evaluation Tool: Small Merchant Overview https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants

https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic

https://www.pcisecuritystandards.org/documents/PCI-CyberCrime-FinalR

https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Strong-Passwords

https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Patching

https://www.pcisecuritystandards.org/documents/Payment-Data-Security-Essential-Secure-Remote-Access

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Common_Payment_Systems

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_To_Ask_Your_Vendors

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Glossary_of_Payment_and_Information_Security_Terms

https://www.pcisecuritystandards.org/pdfs/Small-Merchant-Firewall-Basics

https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Acquirers

https://www.pcisecuritystandards.org/pdfs/PCI-DSE-Overview-for-Small-Merchants

Sources and Helpful References

Dept for Culture Media and Sport – Cyber Security Breaches Survey 2023

Ponemon Institute – State of Cybersecurity in Small & Medium-Sized Businesses (SMB)
(Sponsored by Keeper Security), March 2023

National Cyber Security Centre – Cyber Security Small Business Guide, 2020

Verizon Data Breach Investigations Report – 2023

This Guide provides supplemental information that does not replace or supersede
PCI SSC Security Standards or their supporting documents.

The PCI Security Standards Council is a global forum for the industry to come together to
develop, enhance, disseminate and assist with the understanding of security standards
for payment account security. Read more about PCI SSC’s Global Payment Security
Engagement Initiative at www.pcisecuritystandards.org/pdfs/PCI_SSC_Partnering_for_
Global_Payment_Security
The Council maintains, evolves, and promotes the Payment Card Industry Security
Standards. It also provides critical tools needed for implementation of the standards such
as assessment and scanning qualific tions, self-assessment questionnaires, training and
education, and product certific tion programs.
The Council’s founding members, American Express, Discover Financial Services, JCB
International, MasterCard, and Visa Inc., have agreed to incorporate the PCI Data Security
Standard (PCI DSS) as part of the technical requirements for each of their data security
compliance programs. Each founding member also recognizes the Qualified Security
Assessors and Approved Scanning Vendors qualified by the PCI Security tandards
Council.
All five payment b ands, along with Strategic Members, share equally in the Council’s
governance, have equal input into the PCI Security Standards Council and share
responsibility for carrying out the work of the organization. Other industry stakeholders
are encouraged to join the Council as Strategic or Affili te members and Participating
Organizations to review proposed additions or modific tions to the standards. Participating
Organizations may include merchants, banks, processors, hardware and software
developers, and point-of-sale vendors.