Why Small Merchants Rely on Payment Providers for Cybersecurity

Part two of our Cybersecurity Month 2023 series examines an increasingly concerning trend in cybercrime – targeting small businesses. 

60% of small businesses that suffer a cyberattack go out of business within six months – a terrifying statistic. Yet, despite being at the highest risk, research shows that small business owners are generally the least concerned with the threat of a cyberattack. One reason for this is a lack of education. Smaller merchants may not understand the risks they face, especially in the ecommerce world. The ones that do take cybercrime seriously need help to protect themselves. 

Small businesses often lack the resources to invest in expensive endpoint detection and response (EDR) systems or fraud-prevention tools. However, it’s important to remember that a successful cyberattack doesn’t just hurt the merchant. It also puts payment providers like ISOs (independent sales organizations), PayFacs (payment facilitators) and ISVs (independent software vendors) at risk. 

To protect small businesses from fraud and cyberattacks, payment providers must:

• Educate merchants on the risks of cybercrime
• Offer the low-effort, low-friction tools required to survive 

Cybercriminals Are Looking for Smaller and More Downstream Targets

When people think of cyberattacks and data breaches, they generally think of the ones that make the news. In reality, the most significant cyber threats aren’t headline-making strikes against huge targets like Yahoo and Microsoft – they’re attacks against small businesses. 

While it's difficult to pinpoint an accurate number of cyberattacks (primarily due to under-reporting), most cybercrime reports sent to the FBI’s Internet Crime Complaint Center originate from small businesses. 

Small Businesses Are Easy Targets

Cyberattackers go after small merchants for obvious reasons – they’re easy targets. While the average large business spends over $700,000 on cybersecurity, the average small business spends under $20,000. Unfortunately, even those with additional funds may not take the threat of cybercrime seriously. Only 37% of small merchants think they’re at risk of a cyberattack in the next 12 months, and 64% believe they could quickly resolve an attack if one occurred. 

Cyberattackers are more than happy to take advantage of that apathy and overconfidence. Compared to big businesses that deploy significant capital and resources towards cybersecurity, small businesses are low-hanging fruit ripe for the picking. 

Downstream “Third-Party” Attacks are Accelerating

Another reason smaller businesses are experiencing more cybercrime is the increasing prevalence of third-party attacks. Third-party attacks use connections between various IT systems to target weak links, gaining access to victims through their partners. 

54% of organizations say they were the victim of a breach in the past 12 months caused by one of their third-party partners. 

With limited resources to build in-house solutions, small businesses must work with third-party partners to fill gaps in their tech stacks and services. Unfortunately, connecting with multiple third-party providers means small businesses are:

• At risk of being targeted through their partners
• At a higher risk of becoming the entry point for a third-party attack 

Security as a Differentiator: How Payment Providers Can Stand Out (and Earn More)

The biggest cybersecurity problems small businesses face are cost and complexity. The average merchant doesn’t have the resources to pay for extensive security systems. Even fewer have the ability or time to build or manage these systems in-house. As a result, merchants who take steps to protect themselves against cyber threats must depend on accessible third-party tools.

When it comes to payments (one of the most critical aspects of cybersecurity), merchants must rely on their providers for protection. Certain aspects of payment security – such as baseline encryption and fraud detection – are built in. Unfortunately, they’re typically not enough. 

That means payment providers have an opportunity to help their merchants bolster their security (and generate extra fees while doing it). Value-added services like PCI-DSS assistance, data tokenization, off-site data storage and AI-powered fraud prevention can make cybersecurity a quick and inexpensive solution for merchants.

PCI-DSS Assistance

For merchants, the first line of defense against cyberattacks and data breaches is ensuring they’re fully compliant with PCI-DSS (payment card industry data security standard). This is the set of security standards major card networks put in place to ensure consumer payment data is safe. 

Unfortunately, most merchants don’t understand PCI requirements. Helping them navigate compliance is a great way to provide value, either as part of a standard support offering or a paid service. 

Data Tokenization

One of the most powerful ways payment providers can help merchants safeguard themselves is by offering payment data tokenization. Tokenization goes above and beyond traditional encryption methods by replacing encrypted data with a separate token. Tokens are unique because they don’t store original data, making them nearly impossible to crack. 

As a result, merchants handling tokens instead of traditionally encrypted data are at a lower risk of a data breach. Tokenization also reduces the scope of PCI requirements, accomplishing two tasks at once. Offering tokenization as a value-added service is an easy way to supercharge a merchant’s cybersecurity with little-to-no friction involved. 

Off-Site Data Storage

Merchants rely on card data storage to offer a streamlined ecommerce experience. For subscription merchants, payment storage is the only way to keep recurring payments running without interruption. For others, stored payment data enables them to offer faster checkout experiences and one-click buying (without customers entering their payment information for every purchase). 

Off-site data storage services allow providers, rather than merchants, to store saved payment data. Instead of housing customer information, merchants can use tokenized data to authorize transactions. This gives merchants all the upside with none of the risks. This makes off-site storage a valuable service, especially for subscription sellers. 

AI-Powered Fraud Protection Tools

Fraud and cybercrime are highly intertwined. According to research from Verizon, the use of stolen cards is the second most common attack on small businesses with 10 employees or less. It is second only to ransomware. 

As part of a complete defense against online criminals, merchants need robust anti-fraud tools beyond basic checks. AI-powered tools, like Kount, are an ideal way to tighten a merchant’s security. These solutions use machine learning and a massive database generated by billions of transactions to analyze each card transaction and quarantine (or reject) payments that trigger red flags. 

Fraud prevention tools are an ideal value-added service because merchants can put them to work effortlessly. They also offer enormous value at minimal cost. 

Next Up: PCI Compliance Doesn’t Have to Be Hard

In next week’s installment of our Cybersecurity Month series, we’ll look at one of the most misunderstood payment topics – PCI compliance. PCI-DSS is your merchants' first line of defense against cyber threats – but only if they comply with the rules. We’ll look at why PCI compliance is so important and why getting there is a much simpler process than it seems. 

Until then, reach out to a member of our team to learn how NMI’s modular payment system and value-added security services can help your merchants fight off cyber threats.