Top 3 conversations to have with your customers about cybersecurity

You wouldn’t hand a new driver a car without making sure they’ve learned safe driving practices first, right?

As the one equipping your small business customers with their technology, providing them with the know-how to avoid becoming a victim of various cybercrimes is just as important as selling it to them in the first place.

Especially if your clients are going to use fintech that collects and processes sensitive data and financial information. They need to know how to keep it secure. Otherwise, they’re putting themselves, their customers, and their businesses in danger.

You can help your customers avoid risks and feel in control of their security. But if you aren’t sure where to start, don’t worry. Simply read on. We’ll cover the top three security topics you should talk to your customers about, including the specific threats they pose and solutions to stop them.

Talking Points:

  • PCI compliance
  • Phishing
  • EMV® chip card acceptance

Before we jump in, remember that security is an ongoing, ever-evolving conversation. Consider this your guide to getting that conversation started.

taking order 

PCI Compliance

When kicking off this compliance talk, start with the basics.

First, make sure your customers understand that if they accept credit or debit cards, they have entered into a merchant agreement with the major card brands: Visa, Mastercard, American Express, Discover, and JCB. In exchange for the ability to accept cards, they agree to comply with the PCI Data Security Standards (PCI DSS) to ensure the sensitive card data they’re processing, handling, transferring, and storing is protected.

Next, it’s a good idea to cover the many vulnerabilities businesses face due to the resourcefulness of today’s cybercriminals.

Threats

Start by explaining where the need for these global security standards arose from, or rather, what specific threats they were created to combat. Feel free to share the following definitions with your clients:

  • Hacking: A way people, bots, or algorithms systematically test, find, and exploit weaknesses in a business’ data security defenses. Once inside the system, hackers are able to deploy malware programs to gain control over sensitive data. We call this a data breach.
  • Malware: This is phase two of hacking. Once they’ve breached a system, cybercriminals deploy a software program that's designed to invade and disrupt a computer network to gain unauthorized access to sensitive information. Malware captures information, spreads it to other systems, and rewrites program codes to render an entire system vulnerable to hacks. It can operate secretly for extensive stretches of time, leaking or transferring important data to hackers all the while.
  • Ransomeware: The name says it all: A ransomware attack is malware that holds a business’ data captive until they pay a ransom to get it back. It accomplishes this by encrypting or disguising the data, then demanding the victim pay a ransom, often in cryptocurrency, in order to gain access to the encryption key that will decode and restore their files.

Solutions

Remind clients that PCI DSS is a set of benchmarks that were created to show businesses exactly how to safeguard cardholder data.

While it sounds simple enough to learn the rules and follow them, they shouldn’t make the mistake of thinking this is something they can check off their list once and forget about. Maintaining PCI compliance is a continuous process. If your customers don’t apply constant maintenance to their fintech security, they open their business up to vulnerabilities.

Try putting it to them this way: You wouldn’t skip locking your door when you leave the house tomorrow just because you locked it yesterday. Cybersecurity works the same way.

If your customers need a rundown of the complete list of PCI DSS requirements, you can give them this overview. Just note, it’s the newest version of PCI standards, PCI DSS v4.0, and addresses emerging cyber threats. Luckily, business owners have plenty of time to comply with this version.

The current version of security standards, PCI DSS v3.2.1, will remain active for two years after March 31, 2022, but you can provide extra value to your customers by not only helping them comply with the current standards, but also familiarizing them with the new standards ahead of time, so they can make a plan for implementing the necessary changes when the time comes.

PCI Data Security Standard - High Level Overview

Build and maintain a secure network of systems

1. Install and maintain network security controls.

2. Apply secure configurations to all system components.

Protect account data

3. Protect stored account data.

4. Protect cardholder data with strong cryptography during transmission over open, public networks.

Maintain a vulnerability management program

5. Protect all systems and networks from malicious software.

6. Develop and maintain secure systems and software.

Implement strong access control measures

7. Restrict access to system components and cardholder data by business need to know.

8. Identify users and authenticate access to system components.

9. Restrict physical access to cardholder data.

Regularly monitor and test networks

10. Log and monitor all access to system components and cardholder data.

11. Test security of systems and networks regularly.

Maintain an information security policy

12. Support information security with organizational policies and programs.

If your customers have worry lines between their eyebrows at this point, this is the perfect time to reassure them about the technologies available to help achieve and maintain PCI compliance.

  • Self Assessment Questionnaire (SAQ): SAQs can be lengthy and technically complex, so your guidance and expertise will be crucial in helping your clients complete them when their annual due date comes around. But navigating SAQs alone is a tall order for any ISV. For a more scalable approach, consider partnering with a trusted provider whose solution can help you and your customers easily select and complete SAQs with expert support.
  • Antivirus software: While your customers are likely familiar with this tech that detects and eliminates viruses, it’s still a good idea to perform an analysis of what they currently have in place. Make sure the antivirus software they have installed is strong, being regularly updated, and is scheduled for full system scans at least once a week to detect any malware that could be running in secret. Encourage them to scan for malware whenever they run into suspicious activity as well.
  • Firewall: While antivirus software detects any viruses that slip through, a firewall blocks them from entering in the first place. A firewall can be hardware, software, or both, that acts as a barrier between your customers’ network and the internet to keep out unauthorized traffic. Experts recommend small businesses invest in a more robust hardware firewall to protect their network. Regardless of which kind your customers decide to go with, the important thing is that they add this critical layer of security and that their firewall is configured properly.
  • Secure remote access: The number one point of entry for attacks against brick and mortar businesses is insecure remote access. So this is a good rule of thumb to give your customers: Only allow remote access when absolutely necessary. Encourage them to establish security policies that limit use of remote access and to request that their vendors disable it when it’s not immediately needed. Another good practice is to require multi-factor authentication and unique credentials in order to gain remote access. And don’t forget to be mindful of your own use of remote access if you use it to troubleshoot and run updates on your clients’ systems.

Payments security products

As part of our EdgeShield® security services bundle, Global Payments Integrated offers a program designed to deliver your customers a simplified path to compliance called PCI ASSURE®.

Our service reduces the number of required SAQ questions significantly to just 24 and gives your clients 24/7 access to our web-based client portal to get a walkthrough of SAQ requirements.

PCI ASSURE also provides Network Vulnerability Scans to find any potential problems or threats in your clients’ environments before a compromise occurs. We run a comprehensive system scan, then generate an easy-to-understand report that details the results along with instructions to fix any issues. Our Security Policy Builder can even create a set of custom security policies for your clients.

If you or your clients need additional support, our in-house compliance team is always there to help with dedicated, live assistance every step of the way.

Phishing

Unlike PCI compliance, phishing is probably something small business owners have been exposed to in their personal lives as it targets everyday people through communication channels. But protecting personal accounts against phishing attempts and protecting a whole business against them are two very different things.

Your goal is to help them understand this difference.

Let's dive in.

Threats

All phishing is a type of social engineering, or psychological manipulation through human interactions. Typically, a fraudster will investigate the intended victim, gather information on potential points of access or weaknesses, then move to gain the victim’s trust in order to get them to break security protocol. This is often a cybercriminal’s gateway to payment fraud, with roughly 90% of data breaches being caused by phishing.

What makes phishing so tricky is that it can be hard to spot.

For small businesses specifically, these are the main types of phishing you should warn your customers to look out for:

  • Phishing: At its core, all phishing is the use of fraudulent messages designed to fool a victim into taking a harmful action, such as unknowingly handing over their data. Scammers extract sensitive information from cardholders and businesses alike in a number of ways, including vishing (voice phishing or phishing done by phone), smishing (SMS or text message phishing), and angler phishing (phishing done via social media direct messages).
  • Whaling: With this type of phishing attack, the fraudster impersonates someone high up in the organization like the CEO, a senior colleague, or in your customers’ case, the business owner. The scammer will often target another high profile individual at the organization and include an urgent request to perform a specific action such as making a purchase on the sender’s behalf. Whaling attacks can also be aimed at stealing sensitive information or gaining access to computer systems.
  • Spear phishing: Think of this as a focused approach to phishing. While some phishing attempts are sent out at random to a mass list, spear phishing is a highly specialized attack, targeting specific individuals or groups within a business. Spear phishing scammers often research the target prior to their attack and tailor their messages based on job positions, contacts of the victim, and more personal details to make them difficult to detect.
working at screen 

Solutions

Once you’ve covered the many faces of phishing scams, let your customers know that their best defense against it is employee training.

Aside from the business owner, employees are often the primary target of phishing emails. So instructing your customers to build a company culture of cybersecurity through offering regular awareness training or workshops is your best bet.

Be sure to emphasize that education starts at the top.

When helping your customers understand how to spot phishing attempts, call out these red flags:

  • Threats of account closure or other serious consequences if the reader doesn’t take action
  • Requests or demands to share sensitive data
  • Sense of urgency
  • Spelling errors and strange grammar
  • Email addresses or links that don’t match the sender’s domain

If your customers or their employees do receive a suspicious email, make sure they follow these steps:

  • Don’t click on anything in the email
  • Don’t open any attachments
  • Search the sender’s company online
  • Call the phone number listed on the company’s website and ask about the issue directly
  • Report the email as a phishing attempt

The bottom line? Protecting a small business against phishing takes a village, but it’s possible with the right training.

Payments security products

Global Payments Integrated can help educate and train your customers’ staff on how to protect sensitive data with our Security Awareness Training when they sign up for our PCI ASSURE service.

If one of your customers or their employees do fall for a phishing attempt and a data breach occurs, Global Payments offers developers a breach reimbursement as part of our security bundle. This breach protection program covers up to $150,000 in legal costs associated with a developer’s defense against a customer in the unlikely case of a card data breach as an extra measure of security.

EMV chip card acceptance

Our final topic has to do with your customers’ POS systems. Over the past few years, chipped cards have grown to represent the majority of credit cards in use. Today, we’re living in a world where EMV is the norm.

And while you might know the ins and outs of EMV like the back of your hand, for many, the switch from swiping to dipping their credit cards was just that—a change. Surprisingly, the reason behind why the switch was made is not as commonly known as you might expect.

So consider taking a moment to talk through exactly what this technology was designed to prevent if you have customers who are:

  • Holding out on integrating EMV card readers into their POS system
  • Aware that EMV is important but could use a refresher on the significance as to why
EMV 

Threats

Put it to your customer plainly: Not processing chip cards with an EMV enabled terminal makes them a perfect target for counterfeit card fraud.

What happens after fraud has taken place? When that customer sees a fraudulent purchase on their billing statement, they will likely dispute it by filing a chargeback, or asking their bank to reverse the transaction. If the bank finds the cardholder’s claim to be valid after investigating, they will then issue a chargeback.

At this stage, the amount of the original sale will be deducted from your client’s account and refunded to the cardholder—essentially forcing them to pay for their own inventory twice. And your client’s business will be hit with a chargeback fee.

On top of that, if your customer gets one too many high-dollar chargebacks, they could face even more serious consequences from the card brands. We’re talking devastating consequences like getting banned from accepting debit or credit cards at all.

This scenario is bad for your client, bad for the customer experience, and bad for business.

Solutions

Okay, enough doom and gloom. Time to tell your clients something good: EMV chip card technology changed everything in making transactions more secure. All they have to do is have EMV enabled card readers and encourage their customers and employees to dip or tap debit or credit cards at checkout instead of swiping them.

When explaining this, make sure they understand why a seemingly small change makes such a big difference: With EMV cards, a unique transaction code is generated every time the card is dipped or tapped—and it can’t be used again. So if a criminal tried to skim a chip card, they would be disappointed since the specific code they stole would be invalid for future purchases. Any attempted transaction for that duplicate card would get denied.

That’s why it’s so important your customers are EMV compliant. In other words, they need to upgrade their POS equipment to securely accept and process EMV chip card technology.

Payments security products

So, what’s the safest route? Make sure you have EMV-enabled technology to offer your customers and that you continue to urge them to let you implement it.

Global Payments Integrated delivers one of the industry’s most secure payments platforms while enabling ISVs for EMV. With our EdgeShield® advanced security services bundle, you can integrate key security capabilities into your unique software offering that prevent counterfeit fraud and protect credit card data while at rest and in transit, including EMV technology, end-to-end encryption, and tokenization.

We also offer an EMV-ready Hosted Payment Form for your clients’ card not present transactions with a secure and simple integration for installed or cloud-based software.

Explore secure solutions

If you’ve solved some problems for your customers and helped them create a solid cybersecurity strategy by the end of these conversations, great! If you’ve identified other areas where they might need help strengthening their security against cyberattacks, even better.

Remember, these three conversations about cybersecurity threats and how to protect against them are meant to help you open up a channel of communication with your customers to use throughout the duration of your working relationship.

And as with any good conversation, listening is paramount. As you work through the guide, your customers will likely tell you where they need help or feel less than confident through the complaints they bring up as you talk. If you listen carefully, by the time you finish discussing this set of topics—or even find yourself off script due to your customer’s specific concerns—you’ll have a roadmap for how to provide value going forward.

If you want to back up your cybersecurity conversations with tangible solutions to keep your customers safe, check out what Global Payments Integrated has to offer. Security is at the core of our services — our solutions empower you, as an ISV, to connect your customers to a payment platform they can trust.

Contact us today to learn more about how you can offer your clients an all-in-one software and security solution with a simple API integration.

Finding solution

EMV is a registered trademark or trademark of EMVCo LLC in the United States and other countries. www.emvco.com.

Erin Donnelly

Copywriter

Erin is part of the marketing copywriting team at Heartland, a Global Payments company. With a background in writing, editing and strategic communications, Erin works to tell meaningful stories for the small business community. In her spare time, she enjoys baking, reading and drinking copious amounts of coffee.

Erin Donnelly