I was concerned to read a recent report of a study by SecurityMetrics, a vendor of merchant data security solutions, which claims that 71% percent of the merchants who took part were found to store unencrypted payment card data. This is direct violation of the mandatory Payment Card Industry Data Security Standard (PCI DSS). And it apparently reflects an increase of 8% on last year.
Who is at fault? That’s not difficult to pinpoint, given that Visa estimates that its smallest business customers account for 95% of its breaches. Why are small businesses to blame? The answer is that no one has bothered to educate them. Who should have done this? Industry and government are both at fault.
It is well over a year ago since the Information Commissioner’s Office published my research into the availability of advice on security for small/medium sized organisations. It was pretty damning, pointing out that most advice was unsuitable, incomplete or in the wrong place. Amongst other things it pointed to the absence of any advice on PCI DSS on the major educational sites.
The report was widely discussed and presented. Yet little seems to have been done. Where does one look? A quick glance at Get Safe Online turns up a blank on PCI DSS. A pointer from Get Safe Online to a Business Link site results in a server error on the first question. A pointer from Get Safe Online to Microsoft’s Small Business Centre contains no mention of PCI DSS. A click to a Symantec guide results in an “access forbidden” message.
So who should take the lead in leading on advice to small companies? Given that the UK Government has such a high-profile investment in cyber security, I think they should start to roll up their sleeves.