At the Ghost Town Art & Coffee Co. in Pioche, owner Kelly Garni takes payment for two burgers and a Coca-Cola by sliding a Visa card through a small dongle attached to his Samsung S6 mobile phone.
In short order, Garni and other businesses — big and small — will be able to carry out customer transactions without using cards.
The advancement in payment technology improves the experience for customers and business owners alike. Garni not only can use his phone to accept payment for food and beverage at his five-table cafe, but also for the artwork he sells in Las Vegas.
“The beauty of the whole thing is that it’s surprisingly easy to set up,’’ said Garni, who estimates about 80 percent of all his transactions are made by card. “It couldn’t be any easier and you can be very mobile.’’
However, the improvement in payment technology still comes with data-safety risks that can cripple a small business. Protecting and educating small business owners like Garni was a key theme at the Payment Card Industry Security Standards Council’s annual North American conference held this week in Las Vegas.
The PCI Security Standards Council develops card payment industry standards to ensure that transactions made on Garni’s phone or at a McDonald’s kiosk are secure.
The three-day show attracts 1,400 professionals from various segments of the payment industry, including credit card companies and hardware and software vendors as well as individuals qualified by the PCI Security Standards Council to set up and assess payment systems.
Attendees come to learn about standard updates for existing payment solutions and progress on standards for emerging payment methods like contactless transactions.
Hackers frequently attack large companies because they are seeking financial gains, according to a presentation by Christopher Novak, director of investigative response for Verizon Enterprise Solutions. However, breaches are common at small merchants because they generally do not have the financial resources for an IT department.
Garni is typical of many small merchants, wearing the hat of owner, chief technology officer and janitor.
To assist such business owners in grasping the basics, the PCI Security Standards Council in August updated its Data Security Essential Resources for Small Merchants. The new guide includes a payment system evaluation tool that spells out how owners can protect their particular payment system from a breach.
The council has teamed up with the National Restaurant Association, Chambers of Commerce and other organizations to inform small businesses about Data Security Essential Resources and its evaluation tool.
PCI Security Standards Council Chief Technology Officer Troy Leach said small businesses often use third-party vendors, known as integrators and resellers, to install payment software.
The vendors sometimes create a weak password, disable security features like firewalls or don’t upgrade software patches, leaving the small business vulnerable to an attack, he said.
‘Very basic problems’
Las Vegas-resident Tom Arnold, vice president of PSC, a firm specializing in payment security, agreed.
“A large number of the small mom and pop shops look first to the integrators to help them to do this because they are more interested in boiling the spaghetti and not what is going on in the payment terminal,” said Arnold, who attended the conference.
Arnold’s firm assesses the security of payment technology for companies ranging from a single restaurant up to large resorts and multinational companies. PSC also carries out forensic investigations for companies once their payment data system has been breached.
Arnold said his assessors still come across “very basic problems” when analyzing payment systems that are installed and serviced by third-party integrators.
Poor credit card encryption at the point of sale is “still a huge problem,” he said.
Some integrators are themselves vulnerable to breaches, opening the doors for hackers to attack the payment systems of the small businesses they support, he added.
Amid industry concern, the PCI Security Standards Council in 2012 created the qualified integrator and reseller designation to raise the quality of people installing and managing payment software. The designation also helps small businesses choose a specialist. There are 10 qualified integrators in Nevada, according to the PCI Security Standards Council.
Mark Weiner, founder and chief operating officer of Reliant, a data security solutions provider, said he has seen improvement in industry standards, including in credit card data encryption, since the PCI Security Standards Council began qualifying integrators.
New York-based Reliant was the first company to be qualified as an integrator in 2013.
“The council has done a good job of clearing up that problem,” said Weiner, who also attended the conference.
A previous version of this story incorrectly identified Mark Weiner.