Hardly a week goes by without news accounts of a major data breach.
The immediate reaction is to think of sophisticated hackers. But many breaches involve a lack of basic security steps. Recently, for example, medical and financial records of 4.9 million clients of Tricare, a medical claims processor, were exposed when a backup tape was stolen from an employee’s car.
For large businesses, data breaches mean loss of customer confidence and the prospect of heavy fines.
For small business owners, it can be a life-or-death struggle. But experts say most problems can be avoided by keeping up with security standards set out by the major credit card firms.
Businesses handling transactions via credit or debit cards face the daunting daily task of ensuring that they are in compliance with the latest Payment Card Industry Data Security Standards (PCI DSS). These standards are created by the major credit card issuers to protect consumer’s personal information and ensure security when transactions are processed.
But, even in the face of penalties ranging from hefty monthly fines to increased transaction fees, many small businesses continue to struggle with compliance.
In fact, Verizon’s recently released Payment Card Industry Compliance Report revealed that 79 percent of businesses that accept credit and/or debit cards are failing to achieve and/or maintain compliance with the PCI standards.
“I can see why that might happen,” says Scott Smith, vice president at Max Restaurant Group in Hartford. “A lot of restaurants are in the process of upgrading their POS (Point of Sale) and credit card processing systems, and it can be costly.”
Smith said that the Max Group, which handles about 400,000 credit card transactions yearly, takes protecting its customers’ private information seriously, using a secure network and changing system passwords every 30 days.
Failure to comply with these mandatory standards not only exposes consumer’s confidential data to hackers and opens the door to credit-card fraud, but can ultimately sound the death knell for a business. If customers don’t feel their private data is being safeguarded, they are going to go somewhere else.
According to the PCI Security Standards Council, the standards consist of several goals and corresponding requirements. The council is responsible for managing the security standards, while compliance is enforced by the payment card brands themselves.
The key requirements include:
• Install and maintain a firewall configuration to protect cardholder data;
• Do not use vendor-supplied defaults for system passwords and other security parameters;
• Protect stored cardholder data;
• Encrypt transmission of cardholder data across open, public networks;
• Use and regularly update anti-virus software or programs;
• Develop and maintain secure systems and applications;
• Restrict access to cardholder data by business need to know;
• Assign a unique ID to each person with computer access;
• Restrict physical access to cardholder data;
• Track and monitor all access to network resources and cardholder data;
• Regularly test security systems and processes;
• Maintain a policy that addresses information security for all personnel.
To a small business owner, these requirements can often seem confusing and a bit overwhelming.
According to Jerry Hughes, president of Compass IT Compliance LLC in Rhode Island, most do not fully understand what is required.
“If you go to any small business and show them the PCI Data Security Standards (DSS) they will be blown away,” says Hughes, who has more than 25 years of experience in the IT and IT audit field. “That doesn’t mean that the DSS is necessarily wrong, or unnecessarily confusing, but that it is meant for a specific audience — the information technology folks in their business.”
“The small business owners selling goods and/or services, such as grocers, or restaurant owners, hairdressers… that is their area of expertise, not information technology or compliance with PCI or other federal and state laws.”
Doug Klotnia, executive vice president of payment services at Trustwave, a global provider of on-demand data security and payment card industry compliance management solutions to businesses and organizations, echoed those sentiments, saying merchants assume that when their IT partner sets up their computer and/or payment terminal, they’re building in security, when typically they aren’t.
For a small business which encounters a breach in data security, the fines and fees can be significant, starting with a forensics investigation that can cost $10,000.
“From there, the business will be fined by their bank and by the card brand if they are found to be non-compliant at the time of the breach,” Klotnia said. “Non-compliance fees vary by card brand and bank, but can be upwards of $50,000. On top of these basic fines, the merchant is responsible for the costs of re-issuing the cards that were breached, and any charge-backs that result.”
“For small businesses, this financial burden is enough to put them out of business, not to mention, the damage to their brand and business reputation as word of the breach gets out.”
In addition to advising that a business never store any unnecessary data on its system, Klotnia offers these tips:
• Use strong passwords: If a new system is installed, be sure to change the default password and choose a good strong password that is easy to remember, but difficult for a would-be hacker to guess.
• Install and use anti-virus software: There are many options for anti-virus software, most brands typically include anti -virus, anti-spyware and a personal firewall.
• Monitor, log, detect: Employ tools that monitor for attacks against payment processing systems, and log activity to minimize the breadth of any potential data theft.
• Apply patches: Software patches address newly identified vulnerabilities to make sure a system is always protected.
• Install a firewall: Out-of-the-box consumer firewalls are readily available for business at retail locations, and require little or no configuration.
• Use Payment Application Data Security Standard (PA-DSS) validated payment applications: Find a list of PA-DSS validated applications on the PCI website (www.pcisecuritystandards.org). A validated payment application does not store prohibited data or cardholder data past authorization and settlement, and is configured to update and patch automatically.
• Enlist payment hardware best practices: Proper hardware practices deter theft, by ensuring terminals are securely mounted, and tamper resistant if stolen.
“The biggest obstacle,” according to Klotnia, “is the merchant understanding the value of compliance is as important as locking their front door when they close for the day. That taking the small amount of time required to self-assess could be that one simple effort that keeps them from a massive financial loss.”
