By Tony Anscombe, Chief Security Evangelist at ESET
In today’s threat-heavy climate, Australian small and medium-sized businesses are sitting in the crosshairs of cybercriminals, especially when it comes to payment systems. These platforms aren’t just business-critical; they’re a digital magnet for attackers, offering a gateway to sensitive financial data, customer trust, and regulatory landmines.
And it’s important to note that most cyberattacks hitting Aussie businesses aren’t blockbuster-level breaches. They’re quiet, quick, and often devastating, particularly when prevention hasn’t been prioritised.
Why SMEs Can’t Afford to Stay Reactive
In the 2023–24 financial year, the Australian Signals Directorate (ASD) received over 87,400 cybercrime reports—averaging one every six minutes. While this represents a 7% decrease from the previous year, the threat remains significant. Small businesses reported an average loss of $49,600 per incident, up 8% from the previous year, while medium businesses reported an average loss of $62,800, a decrease of 35% .
Most of these attacks aren’t sophisticated either. Many exploit basic gaps such as default passwords, outdated software, and lax access controls. That’s why the shift to a prevention-first mindset is long overdue.
What Does ‘Prevention First’ Actually Look Like?
It’s not about buying the fanciest tools or outsourcing everything to a managed service provider. It’s about taking smart, deliberate steps to protect what matters most: customer payment data. That starts with understanding and implementing the Payment Card Industry Data Security Standard (PCI DSS), the global set of rules that provides practical steps for securing payment systems.
Many SMEs might assume that using a third-party payment gateway—like Worldpay or Stripe—means PCI DSS no longer applies to them. That’s a dangerous misconception. While outsourcing reduces the technical burden, it doesn’t eliminate responsibility. In fact, PCI DSS applies to both the gateway provider and the merchant, especially when sensitive payment data is processed or transmitted by both parties. SMEs need to understand this shared responsibility and ensure their chosen provider is PCI compliant.
Even though PCI DSS isn’t legally enforced in Australia, non-compliance can still lead to serious financial and reputational fallout. It’s considered best practice for any business handling card payments. So if you’re an SME storing, processing or transmitting cardholder data, it’s time to get familiar.
Key Moves to Secure Your Payment Systems
1. Lock Down Your Network
Before anyone gets to your payment data, they go through your network. That means your first job is making sure it’s not swinging wide open. Strong perimeter firewalls are a must, as is disabling any unnecessary ports or services. Default system settings and passwords should be changed the minute a product is installed, no exceptions.
Modern threats don’t just come in through the front door, either. They often slip in through side doors via old printers, forgotten IoT devices, and other poorly configured tech. Routine network scans help find these blind spots before an attacker does.
2. Encrypt Cardholder Data at Every Step
If your business handles credit or debit card data, encryption needs to be second nature. AES-256 remains the industry standard for strong encryption. Don’t stop there though, make sure the data is encrypted not just while it’s moving, but also when it’s stored (if it has to be stored at all).
Better still, limit what you keep. Don’t hold on to full card numbers, CVVs, or expiry dates unless you absolutely have to. The less you store, the less you’re liable for.
3. Control Who Gets Access
Only give access to people who genuinely need it, and even then, make them prove who they are. Role-based access controls and multi-factor authentication (MFA) are essential here.
Physical security matters too. If your payment systems sit on an on-premises server, that server needs to be locked down. Literally. Whether it’s a data cabinet or a server room, keep physical access tight.
4. Monitor Everything, Test Often
If you’re not watching your systems, you’re flying blind. Set up real-time monitoring tools and review access logs frequently. This can catch suspicious behaviour early—before it turns into full-blown theft or disruption.
Penetration testing (pen testing) and vulnerability scans should be regular events, not once-a-year checkbox items. Attackers are persistent, so your testing schedule should be too.
Don’t wait for a breach to figure out your game plan. Every SME should have an incident response plan that’s written down, rehearsed, and ready to deploy.
5. Make Cybersecurity Everyone’s Job
People remain the weakest link in most breaches. [1]
In November 2024, The Information and Privacy Commission released the first NSW Mandatory Notification of Data Breach Scheme Trends Report. It revealed that 79% of all reported breaches were caused by human error in NSW Government Agencies. [2]
Teach your staff to spot phishing emails, social engineering tactics, and dodgy links. But don’t just hand them a training video once a year, you need to build cyber awareness into your company culture.
Everyone (from the intern to the finance director) should know what to do if something looks off.
6. Update and Patch Everything
It sounds basic, but outdated software is still one of the top ways attackers get in. Whether it’s your point-of-sale (POS) system, your e-commerce plugin, or the router in your back office. If it’s out of date, it’s a risk.
Use automated patch management tools where possible and track all updates. And don’t forget third-party providers; if you use an outsourced payment gateway or cloud service, make sure they meet PCI DSS too.
What Does PCI DSS v4.0 Add to the Mix?
The latest version of PCI DSS (v4.0) rolled out in 2022, and full compliance was required by March 2025. It includes some key updates:
- Stronger authentication requirements, especially for remote access
- Increased flexibility for different types of organisations, including SMEs
- Expanded logging and monitoring expectations
- Customised approach pathways, allowing businesses to show compliance in ways tailored to their environment
It’s more adaptable than previous versions but also more demanding. The focus is squarely on ongoing security, not just ticking boxes.
A Smarter Approach to Risk
Cybersecurity isn’t just an IT problem anymore. It’s a business and operational priority. And while it’s true that SMEs often lack the resources of big corporations, they also tend to move faster and implement changes more nimbly.
Here’s what secure Australian SMEs are doing right:
- They’re using layered security tools like ESET Protect to monitor, detect, and respond to threats in real-time.
- They’ve automated patching to avoid gaps.
- They’ve built a culture where staff know they’re part of the frontline.
- And they’re treating PCI DSS not as a chore, but as a roadmap.
These steps don’t require big budgets, just clear priorities.
Final Thought: Your Reputation Is Part of Your Defence
For many small businesses, the worst part of a data breach isn’t the fine, it’s the fallout. Customers are increasingly savvy about privacy and payment security. If you lose their trust, it’s a long road back.
Preventative security might not be glamorous, but it’s what keeps the lights on and the payments flowing. Get the basics right, embed best practices across your team, and make payment protection part of the way you do business.
The bottom line is, if cybercriminals are evolving their attacks, Australian SMEs need to evolve their defences too. And fast.
