Online transactions are faster and more convenient than ever — and also more vulnerable. According to the FBI's Internet Crime Report cited by the SBA, cybercrimes cost small businesses $2.9 billion in 2023 alone. For businesses across the Palouse — from the retail shops downtown to the law firms and financial planners serving the WSU community — that number is a call to action, not background noise.

Who's Actually Targeting Small Businesses?

The "we're too small to be a target" instinct trips up more business owners than you'd expect. In reality, small businesses are attractive precisely because they often lack the security infrastructure of larger companies. Hackers aren't exclusively chasing Fortune 500 databases.

The threat isn't just external, either. According to the U.S. Small Business Administration, employees and internal communications are the leading cause of small business data breaches because they are direct pathways into business systems. A single phishing email that fools one staff member can compromise an entire customer database.

PCI Compliance: Not Just for Big Retailers

If your business accepts credit or debit cards — in person, online, or by phone — you're subject to PCI DSS (Payment Card Industry Data Security Standard). According to the PCI Security Standards Council, PCI DSS covers every payment merchant, including small businesses, regardless of size or transaction volume. Encrypting cardholder data with strong cryptography satisfies PCI DSS Requirement 3.5.1.

The standard isn't reserved for large retailers. A boutique on Grand Avenue or a therapist accepting card payments through a website portal carries the same baseline obligations as any enterprise.

New Password Rules That Took Effect This Year

PCI DSS received a significant update in 2025. As of March 31, 2025, the PCI DSS 4.0 password requirements raised the minimum business password length to 12 alphanumeric characters — nearly double the previous 7-character minimum — and banned hard-coded passwords in scripts or custom code.

That's a gap easy to close, but only if you know it exists. Now is a good time to audit your systems and update any credentials that fall short of the new standard.

Third-Party Processors Don't Cover Your Security

This surprises a lot of small business owners. Using Stripe, PayPal, or Square does not make your business automatically PCI compliant — you remain responsible for securing your own systems and processes. The FTC's Start with Security guide warns that payment device skimming attacks are now common, and businesses must protect payment-collection hardware itself, not just back-end servers.

What that means in practice:

• Your internal network and device security still matter, regardless of which processor you use

• A compromised point-of-sale device at your front counter is your liability, not your processor's

• Employees who interact with payment systems need ongoing security training, not just a one-time orientation

Document Security: Beyond the Payment Page

Secure transactions aren't limited to payment data. Contracts, agreements, and authorizations are equally vulnerable when they move through unprotected channels. E-signature authentication is the practice of verifying signer identity and maintaining a tamper-evident record of who signed what, and when.

When you request an online signature through a dedicated platform, documents travel through encrypted channels, signers are tracked through a full audit trail, and the integrity of the final document is protected from tampering. For a Pullman law firm or financial planner handling sensitive client agreements, that audit trail isn't just convenient — it may be legally essential.

A Framework That Ties It All Together

Good cybersecurity isn't a single setting you flip on. It's a set of ongoing behaviors built around knowing your vulnerabilities and having a plan before something goes wrong. The Federal Trade Commission recommends that small businesses adopt the free NIST Cybersecurity Framework, which covers six key areas: Govern, Identify, Protect, Detect, Respond, and Recover.

The framework scales to any business size and is updated to reflect current threats. Think of it as a structured starting point — not a compliance checkbox, but a way to identify the gaps you don't yet know you have.

Quick Security Checklist for Pullman Businesses

Before your next online transaction, run through these fundamentals:

• [ ] Passwords are at least 12 alphanumeric characters (PCI DSS 4.0 minimum, effective March 2025)

• [ ] No hard-coded credentials in scripts, integrations, or checkout code

• [ ] Payment devices are physically secured and inspected regularly for tampering

• [ ] Staff have received phishing awareness training in the past 12 months

• [ ] Contracts and agreements flow through an authenticated e-signature workflow

• [ ] A written incident response plan exists — even a one-page version counts

Protecting the Palouse Economy, One Business at a Time

The Pullman Chamber of Commerce connects local businesses with resources, events, and expertise — including monthly Good Morning Pullman breakfasts and recent programming on emerging technology. Cybersecurity is the less glamorous side of that same conversation. It doesn't generate the excitement of an AI presentation, but it's what keeps a business standing after a bad day.

The FTC and SBA resources linked above are free, written specifically for small businesses, and regularly updated. Starting with one — whether it's the NIST framework or the PCI DSS checklist — is a better first move than waiting until a problem forces the issue.

Bottom line: Secure online transactions require layering protections across payments, documents, devices, and people. No single tool or third-party service handles all of it for you.