Welcome to Part 2 of my blog on PCI Security. If you haven’t read part 1 yet, you might want to read that first. It has important background info that will help what you’re about to read here make sense.
Where were we? Oh yes, I promised you some real-life scenarios about PCI compliance. While it’s very easy to find articles about giant companies that have experienced a security breach, it’s really difficult to find press on small businesses which have experienced breaches, but we found several. These stories are all 100% real. You can click the links to get the complete story on any one of them.
- In March of 2014, police in Fairmont, Minnesota received over 200 complaints of debit and credit card fraud after one Mexican restaurant was hacked.
- An out-of-state football team didn’t think twice about eating at the popular McFadden’s at Westgate Mall in Glendale, Arizona. But a few weeks later, fraudulent charges were being made to their cards. The article, written at the time that the breach was reported, does not state how many customers were impacted, nor the costs of making reparations.
- In June of 2016, the Hard Rock Hotel and Casino in Las Vegas announced that it had found card scraping malware on its payment card system. The malware extracted cardholder information including cardholder name, account number, expiration date and internal verification code. The hotel began investigating after receiving reports of fraudulent activity on credit cards used at the complex. The impacted accounts are thought to have been used between January 31, 2016 and June 2, 2016 at some of the complex’s payment locations. As of this writing Hard Rock has not released a number for the amount of customers at risk.
- From an LA Times 2014 article, The consequences can be costly, as 80sTees.com of Pennsylvania discovered when someone believed to be a former high-ranking employee accessed the identities of customers all over the country, including in California. The retro shirt seller stopped accepting credit cards for four months, launched a new website and blocked all employees from accessing clients’ financial information.
Here are three sobering statistics:
- An NCSA (National Cyber Security Agency) infographic shows that 71% of security breaches target small businesses, and nearly half of small businesses have been targets of cyber security attacks.
- Experian reports that small businesses that had security breaches found that 60% closed within six months.
- A Verizon survey found that 71% of hackers attack businesses with less than 100 employees.
Still think PCI compliance is too complicated to deal with?
I get it. Being a merchant in today’s business world is a lot more complicated than it used to be. Gone are the simple days of a salesbook, a card imprinter and a cash register. These days you may have multiple terminals and multiple cash registers or integrated payment terminal, integrated cameras, a WIFI network, an e-Commerce site, and you take orders by mail, phone, email, and maybe still even by fax. The more features and the more complex your payment systems are, the more vulnerable they may be.
Before we get into ways you can make your transactions more secure, check with your credit card processor and make sure they are validated PCI compliant. Don’t just take their word for it. If they are compliant they should be able to help you, their customer, become compliant. In fact, it’s their responsibility to check and make sure you are compliant. If they give you an answer that borders on “Don’t ask, don’t tell,” do not settle for it. Contact other processors or contact PCI directly for more help. Call us if you want to and we’ll see if we can help you or point you in the right direction.
PCI has a wealth of information for small businesses to help them improve their data security. For starters, check out this site: http://blog.pcisecuritystandards.org/topic/small-business
You’re probably not going to be able to become PCI compliant on your own unless you’re also a systems security analyst. Your processor should be able to help you.
I think here is a good place to point out that PCI security and compliance is an on-going, somewhat fluid process. It’s also a matter that requires vigilance. You could slip out of compliance by not thoroughly training a new employee, by installing a new piece of equipment, changing a procedure or simply by not changing a password if an employee leaves. The bad guys have systems scouring the internet 24/7 looking for weaknesses. You really can’t afford to let your guard down.
PCI is also not an insurance policy. It doesn’t absolve you of any financial responsibility if you’re breached, and it doesn’t guarantee you won’t be breached. PCI’s position is that no PCI compliant organization has ever been breached because if they were compliant they wouldn’t have been breached. That’s rather bizarre logic (circular, in fact), but that’s their story and they’re sticking to it.
You may be thinking that if a giant chain with a big security budget like Target or Michaels or Home Depot got breached, what chance do you have?
It’s not necessarily about budget. Those big companies may have bigger, more expensive security systems, but in some ways the big chains are more vulnerable because there are more points of attack. It also helps that PCI categorizes merchants by size, so the requirements and scrutiny for a smaller businesses are not the same as for a larger merchant.
Think of PCI security like a state of the art security system for your business. It may not prevent you from getting breached and it won’t pay for damages, but it may make you less of a target and it may save the life of your business.