Protecting Customer Information
In our last blog post titled Data Breaches, Data Breaches Everywhere, we talked about the big data security and the largest data breaches of 2013. They affected multinational companies and some of the largest retailers in the United States.
However, that does not mean small businesses are exempt – in 2012, about 40% of data breaches occurred in businesses with fewer than 100 employees. So how can small businesses combat this and make protecting customer information a priority? Read the second entry in this three part series to find out.
The Payment Card Industry (PCI) Security Standards Council is the governing body of payment card data security for most businesses and an advocate for protecting customer information. Founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., the PCI Data Security Standard (DSS), serves as the baseline for merchants that accept cards as a form of payment – from national department store chains to seasonal fruit stands.
In security terms, it means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers’ payment card data is being kept safe throughout every transaction, and that they – and you – can have confidence that they’re protected against the pain and cost of data breaches.
-PCI Data Security Standards Council Website
Businesses comply with the PCI DSS by following these 12 guidelines:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
The important thing to remember is that the PCI SSC cannot enforce these rules, they simply provide information about best practices and data security.
Small Business Data Security
These are some things to watch out for while running a small business, and some simple solutions.
- Hacking – malicious individuals can get your information by accessing your hardware or software through lackluster protective measures. Solve this by securing your connections. Encrypt your Wi-Fi, put a password on it, and don’t give it out to just anyone. There are dozens of options that range from free to $1000’s for all types of businesses.
- Payment fraud – people can access your info through the POS or terminal. Solve this by controlling user access to your Point-of-Sale system or terminal. Create unique user ID’s for each employee to control their permissions, monitor their usage, and hold them accountable. Your merchant services provider can help you with setting this up.
- Employee fraud – not everyone is who they say they are. Solve this by running background checks and extending your interview process. And remember, fewer employees means each has a higher chance to screw up your business.
- Lost, discarded, or stolen documents – people can sift through your trash if it’s not shredded. Solve this by buying a document shredder. Shred documents on a daily or weekly basis, and make sure that the remnants are properly destroyed.
- Negligence – Target’s malware detection tool caught the attack, but it wasn’t configured properly. Solve this by turning on all security features and options. Check regularly to make sure that they are on and up to date.
- Third-party companies – Hackers work backwards from the point of easiest entry. Target was breached through an HVAC provider. Solve this by vetting your partners’, suppliers’, and vendors’ security measures. Their security is your security.
High Risk Merchants
High risk merchants usually pay higher rates and fees, are watched very closely for fraud, and have other stipulations stapled to their contracts. Businesses that accept card-not-present transactions, some service providers, or businesses in an industry that is heavily regulated are typically considered higher risk. The least common denominator is increased chance of fraud and increased chance of chargebacks.
It is extremely important that businesses in this category maintain the strongest level of protection for their customer’s payment card information. Their businesses are already suffering non-negotiable increased costs, by adding a data breach or fraud on top of that, they run the risk of having their merchant account shut down, or in the worst-case scenario, being put out of business.
What To Do If You Are Breached
- Don’t panic – Panicking leads to hasty decisions. Haste makes waste. Don’t panic.
- Preserve the crime scene – That’s what it is now. Preserving the crime scene means that the authorities have a better chance of finding useful information. Instead of wiping hard drives or unplugging cords, stop using your terminal, virtual gateway, or Point-of-sale system, and break out the cash drawer.
- Gather info from service providers (internet, telephone, security, merchant services) – they have access to information that you don’t. Make some phone calls and let them know what happened and ask what they can do about it.
- Legal advice – Call the police, and get yourself a lawyer. You may not need one depending on the size and scope of the breach, but that’s not something you want to test.
- Communicate – Tell your employees and customers. Let your service providers, third party vendors, wholesalers, and anyone else that could be effected know that your payment card security was compromised, that you are looking into it, and that you will keep them updated. As evidenced by the efforts of Neiman Marcus, Target, and PF Chang’s, an open line of communication between executives and customers is very effective damage control.
- Reevaluate – Something went wrong. Find out what it was, and fix it so that it never happens again. The PCI SSC has many resources for small businesses here and here.
Landscape for Merchants
The landscape for merchants is not promising. Last year was the worst in history for data breaches. Main Street businesses need to comply with PCI DSS regardless, but proactive owners and executives will add additional layers of security to protect customer information.
The best way to do this is to accept chip-and-pin cards (also known as EMV cards), by using a terminal equipped for them. 86% of financial institutions plan to issue chip-and-pin cards in the next two years. Small businesses don’t have the same luxury. By October 2015, merchants who are unable to accept chip-and-pin cards will be held liable for fraudulent transactions, something considered long overdue.
The Choice Merchant Solutions EMV Readiness Program helps merchants convert to a more secure system before it’s too late and emphasizes protecting customer information. Check back for the penultimate chapter of this series, which will tell you everything you need to know about EMV. If you’re an early adopter, or want to find out more from a qualified representative, call us at 860.296.1300 or check out our merchant processing page.