No organization is immune to data breaches–especially small businesses without access to the same resources as larger merchants, requiring a vigorous security program that includes EMV and other protections at the point of sale.
More than 90% of data breaches affect small businesses and, as criminals continue to develop more sophisticated hacking methods, vulnerability continues to rise, according to a recent Trustwave Global Security Report from Trustwave SpiderLabs. Given the recent realities of high-profile data breaches, it is critical for merchant service providers to help their small business customers understand security risks and recommend security methods that can help protect them from being compromised.
Data breaches can be costly, on both reputation and the business bottom line. In fact, data breaches can cost an average organization more than $5 million per incident, according to the 2013 Cost of a Data Breach Study by Ponemon Institute.
Though the cost for a small business would be less, the effects are just as detrimental on a smaller organization as they are on a large one. As trusted partners for existing and new customers, merchant service providers should be able to provide their customers with a full understanding of the direct and indirect costs of a data breach.
It is critical that merchants take action to ensure the safety of their customers and take necessary steps to pay fees and charges associated with a data breach, including notifying customers. Most state laws require that the attorney general and customers be notified of any compromised information in a data breach, often costing thousands of dollars depending on location, the alert system and number of customers.
Credit monitoring is also a must. Merchants may be required to provide all customers affected by a data breach with a year’s worth of credit monitoring. Also, PCI DSS regulations require merchants that experience a data breach, or even suspect a breach, undergo a forensic exam to determine the extent of the incident. The forensic exam requires merchants to shut down their POS systems for several days, resulting in lost time that could have been spent on reaching business goals, including making sales. And card issuers may require merchants to pay the cost of reissuing debit and credit cards that have been compromised, often resulting in a $3 to $5 fee per card.
There are other costs. Card associations may require merchants to pay PCI compliance fines, depending on the nature of the offense that lead to the breach and whether or not the cards have been used in actual fraud cases. The fines can range from $5,000 to $50,000 or more. And regular business insurance does not necessarily protect merchants from the liability associated with the fraudulent use of payment cards after a data breach.
Beyond financial costs, merchants also must be conscious of the reputation damage caused by a data breach. The loss of customers and negative reputation can be just as damaging as the direct costs.
Big-box retailers experienced massive data breaches in late 2013 and are still suffering the reputational damage even though they have ample resources to mitigate that damage.
The repercussions for small businesses can be even worse. Thje Ponemon study notes that lost business accounts for 56% of data breach costs, which is a price most small businesses can’t afford.
To avoid the costs and consequences of a data breach, ISOs should empower their small business customers with solutions that can reduce risk while offering a cost-effective safeguard for sensitive data.
One of the first recommendations ISOs should make to merchants is to update their POS device to be compatible with EMV technology. A POS device that is compatible with EMV can read cards that contain embedded microprocessors or chips that interact with the device.
These smart chips enable more robust cardholder verification to protect against consumer-level fraud for EMV transactions, which is the technical standard that ensures chip-based payment cards and terminals are compatible.
As more merchants move toward EMV, there is a multitude of devices on the market that provide small businesses with choices for upgrading or replacing their POS systems.
Ensuring that a merchant’s point of sale is compatible with EMV technology is an important part of the process to help small business customers navigate the steps necessary to secure sensitive data.
For added security, layer encryption and tokenization with EMV and POS compatible systems to enable merchants to mitigate security weaknesses and address authorization vulnerabilities.
There are two points in the transaction process where data is most vulnerable: pre- and post-authorization. By layering EMV with encryption and tokenization, merchants not only alleviate fraud but also protect the cardholder data once the payment method and consumer are validated.
Using encryption during pre-authorization, card readers transform plain text information into a non-readable form called Cipertext. The card data captured and transmitted at the POS becomes secure and is rendered useless if it is stolen.
On the back end during post-authorization, tokenization can be used once the cardholder’s data has been read. Tokenization protects the sensitive information by replacing the actual card number with a sequence of randomly generated numbers to be safely stored and that can be used for back office processes.
Small businesses cannot afford to suffer the financial and reputational losses associated with a breach. Keeping customers informed of the risks and consequences and preparing them with the technologies to keep them safe are both ways ISOs can become trusted partners to small businesses as data breaches stay top of mind.
Tim Horton is First Data's vice president of cyber security solutions.