CHICAGO -- Keeping small merchants safe from data breaches doesn’t have to break the bank.

“It’s a misconception that it has to cost a lot of money,” ControlScan’s Chris Bucolo said here yesterday at Midwest Acquirers Association 11th Annual Conference. “Most attacks are not that sophisticated, and so they’re not hard to block.”

Simply changing passwords can foil cyber thieves who cruise the internet trying to guess what words will give them access to sensitive data, Bucolo notes, adding that a regional retailer with 20 stores and a single password can provide a bonanza for thieves.

Instituting security measures in stages spreads the cost and eases the pain for merchants, he suggests.

“It has to be something that they can swallow economically,” Bucolo says. “You have to win their confidence first.”

Merchants can save money by dividing employees into categories based on how much they need to know about security and providing only as much training as necessary.

For $60 to $70 a month, merchants can have a managed network firewall that greatly reduces the chance of a breach, he says.

Besides firewalls on the main system, defenses should include firewalls on remote devices, Bucolo advises.

Avoid using point of sale systems to browse the internet, he warns retailers.

Ensure that all third-party service provide are observing best practices, he says

And independent sales organizations and sales agents can help by making sure clients comply with Payment Card Industry data security standards, Bucolo maintains.

ISOs find that incentives can help persuade merchants to comply with PCI standards and that disincentives, such as fees, can discourage them from failing to comply, he says.

Types of merchants at high risk for breaches include hospitality, retail chains, pizza parlors, Mexican restaurants and universities, Bucolo notes.

Medical-services providers are emerging as a medium risk, he says.

Focusing first on high-risk merchants makes sense, Bucolo suggests. The most valuable merchants often have the most complexity, including multiple locations, e-commerce operations, web applications they’ve developed in-house and an inclination to do their own hosting, he continues.

Meanwhile, some security problems are becoming more severe. Some merchants, for example, are becoming less likely to use tokenization because they suspect EMV will rescue them from breaches, Bucolo says.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry