CERT NZ is encouraging local businesses to get a better understanding of their online transaction obligations after
research showed 61% of business owners responsible for their small and medium enterprise (SME) website had no real
knowledge of the necessary requirements to keep customer payment data safe.
A survey 1 conducted by CERT NZ revealed that approximately 39% of SMEs that already have an online store had never
heard of the Payment Card Industry Data Security Standard (PCI DSS), which is an international requirement for any
website that accepts, transfers or stores customer payment data.
Established in 2006 by an independent body of major credit card companies, PCI DSS requirements, when followed, will put
organisations in a strong position to defend themselves against attackers trying to steal customers’ credit card
details. For a business owner this means taking the guess work out of what they need to do, and having specific measures
in place and documented to share with service providers, detailing exactly what is needed for security.
While 16% of survey respondents with an e-commerce website were aware of PCI DSS, they did not fully understand what the
requirements entail. None of those with e-commerce stores had an extremely good understanding of PCI DSS and only 17%
felt they had a reasonably good understanding of the security standards.
“We believe it’s important to raise awareness about PCI DSS amongst SMEs, especially given the number of businesses that
were driven to move online swiftly during lockdown. In doing this, some vital security measures that protect e-commerce
websites may not have been front of mind,” says CERT NZ’s Director, Rob Pope.
“For those businesses it’s really important to go back and undertake an audit of all their security measures to ensure
they are as protected as they can be. Just as business owners lock up their physical shop to keep it safe, they need to
take similar precautions with their online store.”
Examples include regularly backing up the website and key databases, and conducting quarterly vulnerability scans on an
e-commerce website.
“Not only is it a requirement, it’s in a business owner’s best interest to adhere to PCI DSS. It will give them peace of
mind that their website is less likely to be compromised, and provide their customers with greater assurance that it’s
safe to buy from them online,” says Mr Pope.
“The current uncertain climate demonstrates just how important an online store is to a business, and how important it is
to safeguard it.
“Running a business can be hectic, but we’d recommend business owners take the time to have a chat with their bank to
get a better understanding of their PCI DSS obligations.”
More information about how businesses can trade safely online is available on CERT NZ’s website: https://www.cert.govt.nz/business/guides/secure-your-website/protect-it/