The Impact of Data Breaches on Small Business

The recent malware attacks at nationally known retailers have sent consumers scrambling to protect their credit and avoid identity theft. Merchants are taking action to keep their businesses from falling victim to hackers and wondering what the long-term consumer fallout may be. While the data breaches that occurred during the 2013 holiday season were certainly not the first or even the largest, they seem to have brought the payments industry to a tipping point.

Consumer response to merchant data breaches

It’s too early to identify specific trends resulting from the recent incidents, however, after a decade-long trend of well-publicized hacking episodes, consumers have become knowledgeable and vigilant. They’re monitoring their accounts for suspicious transactions, requesting replacement cards, changing PIN numbers and reviewing their credit reports. Many consumers are reconsidering their methods of payment and giving thought to which merchants they support.

Securing your point of sale

The recent data breaches were perpetrated using malware, which, according to news reports, was introduced through internal flaws in the retailers’ point-of-sale (POS) systems. Hackers stole login credentials from an outside vendor, entered the retailers’ systems and installed malware designed to obtain consumer data from payment card readers and save it on an outside server. The malware seeks out POS systems using older operating software with open remote access ports and weak passwords. Once malware enters a merchant’s POS, it quietly goes about its task, collecting and transmitting data until the breach is revealed.

The attacks could have been prevented by proper adherence to the Payment Card Industry Data Security Standard (PCI DSS), which continues to be the gold standard for merchants in blocking card fraud. All processing equipment provided by Harbortouch is PCI compliant to ensure the highest level of data protection. However, being proactive and using the tools offered through the PCI Security Standards Council will help merchants further protect cardholder data throughout each transaction. The ongoing process requires merchants to continuously assess their operations, fix any vulnerabilities, and make the required reports to their acquiring bank and all card brands with which they do business. The 12 PCI DSS requirements are listed below:

1. Install and maintain a firewall configuration to protect data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data and sensitive information across open public networks.

5. Use and regularly update anti-virus software.

6. Develop and maintain secure systems and applications.

7. Restrict access to data by business need-to-know.

8. Assign a unique ID to each person with computer access.

9. Restrict physical access to cardholder data.

10. Track and monitor all access to network resources and cardholder data.

11. Regularly test security systems and processes.

12. Maintain a policy that addresses information security.

For detailed information about the PCI DSS, visit pcisecuritystandards.org/merchants.

The role of EMV in preventing data breaches

Based on the nature of the recent attacks, EMV technology may not have prevented them from occurring. However, having EMV technology in place at the POS would make it virtually impossible for criminals to use counterfeit cards created using stolen data, a primary result of data theft. Harbortouch’s Perkwave terminal offers an EMV compatible option for merchants.

The next big milestone in the U.S. EMV migration plan is in October 2015, when fraud liability will shift to merchants in cases where an EMV card is presented and the merchant doesn’t have an EMV-capable payment terminal. Retailers that have experienced data breaches are planning to be ahead of this deadline, and all merchants are encouraged to begin their EMV migration plans sooner than later.

Any steps you can take to tighten your perimeter will make your POS a less viable target. Hackers generally seek the path of least resistance, so it’s important to cover all your bases by following the 12 PCI DSS requirements in their entirety. Good business sense dictates that prevention is far better than dealing with the consequences of a data breach.