By Tony Anscombe, Chief Security Evangelist at ESET
In todayโs threat-heavy climate, Australian small and medium-sized businesses are sitting in the crosshairs of cybercriminals, especially when it comes to payment systems. These platforms arenโt just business-critical; theyโre a digital magnet for attackers, offering a gateway to sensitive financial data, customer trust, and regulatory landmines.
And itโs important to note that most cyberattacks hitting Aussie businesses arenโt blockbuster-level breaches. Theyโre quiet, quick, and often devastating, particularly when prevention hasnโt been prioritised.
Why SMEs Canโt Afford to Stay Reactive
In the 2023โ24 financial year, the Australian Signals Directorate (ASD) received over 87,400 cybercrime reportsโaveraging one every six minutes. While this represents a 7% decrease from the previous year, the threat remains significant. Small businesses reported an average loss of $49,600 per incident, up 8% from the previous year, while medium businesses reported an average loss of $62,800, a decrease of 35% .โ
Most of these attacks arenโt sophisticated either. Many exploit basic gaps such as default passwords, outdated software, and lax access controls. Thatโs why the shift to a prevention-first mindset is long overdue.
What Does โPrevention Firstโ Actually Look Like?
Itโs not about buying the fanciest tools or outsourcing everything to a managed service provider. Itโs about taking smart, deliberate steps to protect what matters most: customer payment data. That starts with understanding and implementing the Payment Card Industry Data Security Standard (PCI DSS), the global set of rules that provides practical steps for securing payment systems.
Many SMEs might assume that using a third-party payment gatewayโlike Worldpay or Stripeโmeans PCI DSS no longer applies to them. Thatโs a dangerous misconception. While outsourcing reduces the technical burden, it doesnโt eliminate responsibility. In fact, PCI DSS applies to both the gateway provider and the merchant, especially when sensitive payment data is processed or transmitted by both parties. SMEs need to understand this shared responsibility and ensure their chosen provider is PCI compliant.
Even though PCI DSS isnโt legally enforced in Australia, non-compliance can still lead to serious financial and reputational fallout. Itโs considered best practice for any business handling card payments. So if youโre an SME storing, processing or transmitting cardholder data, itโs time to get familiar.
Key Moves to Secure Your Payment Systems
1. Lock Down Your Network
Before anyone gets to your payment data, they go through your network. That means your first job is making sure itโs not swinging wide open. Strong perimeter firewalls are a must, as is disabling any unnecessary ports or services. Default system settings and passwords should be changed the minute a product is installed, no exceptions.
Modern threats donโt just come in through the front door, either. They often slip in through side doors via old printers, forgotten IoT devices, and other poorly configured tech. Routine network scans help find these blind spots before an attacker does.
2. Encrypt Cardholder Data at Every Step
If your business handles credit or debit card data, encryption needs to be second nature. AES-256 remains the industry standard for strong encryption. Donโt stop there though, make sure the data is encrypted not just while itโs moving, but also when itโs stored (if it has to be stored at all).
Better still, limit what you keep. Donโt hold on to full card numbers, CVVs, or expiry dates unless you absolutely have to. The less you store, the less youโre liable for.
3. Control Who Gets Access
Only give access to people who genuinely need it, and even then, make them prove who they are. Role-based access controls and multi-factor authentication (MFA) are essential here.
Physical security matters too. If your payment systems sit on an on-premises server, that server needs to be locked down. Literally. Whether itโs a data cabinet or a server room, keep physical access tight.
4. Monitor Everything, Test Often
If youโre not watching your systems, youโre flying blind. Set up real-time monitoring tools and review access logs frequently. This can catch suspicious behaviour earlyโbefore it turns into full-blown theft or disruption.
Penetration testing (pen testing) and vulnerability scans should be regular events, not once-a-year checkbox items. Attackers are persistent, so your testing schedule should be too.
Donโt wait for a breach to figure out your game plan. Every SME should have an incident response plan thatโs written down, rehearsed, and ready to deploy.
5. Make Cybersecurity Everyoneโs Job
People remain the weakest link in most breaches. [1]
In November 2024, The Information and Privacy Commission released the first NSW Mandatory Notification of Data Breach Scheme Trends Report. It revealed that 79% of all reported breaches were caused by human error in NSW Government Agencies. [2]
Teach your staff to spot phishing emails, social engineering tactics, and dodgy links. But donโt just hand them a training video once a year, you need to build cyber awareness into your company culture.
Everyone (from the intern to the finance director) should know what to do if something looks off.
6. Update and Patch Everything
It sounds basic, but outdated software is still one of the top ways attackers get in. Whether itโs your point-of-sale (POS) system, your e-commerce plugin, or the router in your back office. If it’s out of date, itโs a risk.
Use automated patch management tools where possible and track all updates. And donโt forget third-party providers; if you use an outsourced payment gateway or cloud service, make sure they meet PCI DSS too.
What Does PCI DSS v4.0 Add to the Mix?
The latest version of PCI DSS (v4.0) rolled out in 2022, and full compliance was required by March 2025. It includes some key updates:
- Stronger authentication requirements, especially for remote access
- Increased flexibility for different types of organisations, including SMEs
- Expanded logging and monitoring expectations
- Customised approach pathways, allowing businesses to show compliance in ways tailored to their environment
Itโs more adaptable than previous versions but also more demanding. The focus is squarely on ongoing security, not just ticking boxes.
A Smarter Approach to Risk
Cybersecurity isnโt just an IT problem anymore. Itโs a business and operational priority. And while itโs true that SMEs often lack the resources of big corporations, they also tend to move faster and implement changes more nimbly.
Hereโs what secure Australian SMEs are doing right:
- Theyโre using layered security tools like ESET Protect to monitor, detect, and respond to threats in real-time.
- Theyโve automated patching to avoid gaps.
- Theyโve built a culture where staff know theyโre part of the frontline.
- And theyโre treating PCI DSS not as a chore, but as a roadmap.
These steps donโt require big budgets, just clear priorities.
Final Thought: Your Reputation Is Part of Your Defence
For many small businesses, the worst part of a data breach isnโt the fine, itโs the fallout. Customers are increasingly savvy about privacy and payment security. If you lose their trust, itโs a long road back.
Preventative security might not be glamorous, but itโs what keeps the lights on and the payments flowing. Get the basics right, embed best practices across your team, and make payment protection part of the way you do business.
The bottom line is, if cybercriminals are evolving their attacks, Australian SMEs need to evolve their defences too. And fast.
