High-tech hackers capable of breaking into sophisticated networks may be what many small-business owners envision when hearing about data-security risks. In their minds, such breaches are more likely to plague a corporate retail giant than a small, family-run shop.
But in many cases, attacks can be as low-tech as a dishonest cashier jotting down a few credit card numbers and stuffing them in his pocket. And with the myriad ways companies face being affected by fraud, achieving 100% compliance with Payment Card Industry data-security standards among the more than 5 million small U.S. merchants can be daunting for ISOs and acquirers.
Small businesses often do not realize they are just as much at risk as large retailers are, if not more, because of gaps in merchant-security education. Indeed, a merchant’s relationship with its employees may be a bigger factor in securing data than the one between the merchant and its ISO, experts say.
A common misconception among small merchants is that attacks occur only from outside the business. But in many cases, security compromises originate inside a merchant’s walls, new survey data suggest.
In an August survey of 628 so-called Level 4 merchants that annually process less than 1 million payment card transactions, ControlScan Inc., an Atlanta-based payments-security firm, and Merchant Warehouse Inc., a Boston-based ISO, found that merchants may be setting themselves up for a breach by not performing background checks on new hires or by failing to train employees on how to properly safeguard cardholder information.
Many are doing only the bare minimum, the survey data suggest. Of the respondents, 148 said “completing the paperwork” for the PCI DSS was the only action they took to achieve compliance, and only 55 said they conducted security training for their staff.
Small merchants generally believe that by processing fewer and smaller transactions, they are less attractive to fraudsters and, as a result, less of a target for attackers. Yet 96% of merchants targeted by hackers in 2010 were classified as Level 4, according to the December Visa Inc. report “Franchise Data Compromise Trends and Cardholder Security Best Practices.”
Autumn Cafiero Giusti March 2011 ISO&Agent
We’ve heard stories in industry publications of merchants getting shut down because an employee was a center of fraud; one employee destroying the business. There are some scary stories out there.
We know you want to believe in your employees but do not be naive. Employees you least expect can be up to no good. It just happens. That is the way it is these days. Background checks are probably a good idea.
Generally, the type of employees who are going to rip off their employer by pocketing merchandise and sneaking free meals are also likely to be the one who will steal credit card numbers.
Another threat from the inside is skimming; a technique that is common in restaurants when workers use a pocketsize device to swipe a customer’s credit card to obtain their account information off of the magnetic stripe.
These low-cost battery powered magnetic card readers are too easy to get.
The best thing a merchant can do is run background checks, train the employees, and reduce the scope of who has access to credit card details.
It is the merchant’s responsibility to make sure your own policies and procedures reflect the safeguarding of client cardholder information.
Do not be subject to the “Not Me” syndrome.
As payment consultants we do our best to help merchants reduce exposure by explaining these vulnerabilities and risks. We are stepping up our efforts to educate merchants on the importance of training employees and vigilantly safeguarding card data.
Make sure your employees are fully trained on all the correct procedures for card acceptance and security; including little details like not writing down credit card numbers and reporting anyone seen writing down credit card numbers.
Just because you are PCI compliant does not mean you are unbreachable.
If a merchant experiences a breach, the fines and penalties incurred could put it out of business. And even if the merchant survives the fines, all it takes is for that breach to be reported in the newspaper to bring down its operations. Brand degradation is extremely harmful.
Education is an important part of the fraud-prevention process. Merchants can reduce exposure under the helpful eye of an experienced payment consultant like Prineta. Contact Us!