Security can be an expensive, time-consuming investment for small merchants, and most have a mindset that security hacks won't happen to them. But independent sales organizations must take an active role in protecting even the merchants that don't want to be protected.
Even small merchants are big targets, says Chris Bucolo, senior manager of security consulting at ControlScan. "Fraudsters are going where they can get the action," he says.
Small merchants don't need extensive security systems, but "what's not happening is business-as-usual security," he said in a presentation at the Western States Acquirers Association conference in San Francisco this week.
The best solution to this problem is education, which can come from the ISOs who are managing the merchant relationship.
The "big stick" approach has worked on merchants to get them to get under compliance, says Bucolo, referencing former president Theodore Roosevelt's "Big Stick" policy of being friendly while also threatening. "Fines work and even better when they're coupled with incentives," he says. "If there's a stick and a carrot, we've seen that's effective."
One of the easiest fixes is maintaining high level passwords. The most common passwords, Bucolo says, are "password" and "Password1." Many people think the latter is a good password because it uses a capital letter and a number, he says.
ISOs should educate merchants, especially those that have Web applications or a high risk of fraud (such as fast-food restaurants) on the extra precautions they should be taking, Bucolo says.
And while merchants don't want to cut into their revenue by buying expensive, unused security systems, merchants also can't afford to lose thousands of dollars in a security breach. It typically takes about six months to spot a breach, Bucolo says.
Many merchants think working on security always means spending a lot of money, he says, but even inexpensive first steps could drastically increase protection, Bucolo says. For a first-stage security package that includes managing a firewall, breach protection and self-assessment for Payment Card Industry security standard compliance costs around $65 a month, he says.
"Twenty-nine out of 30 days you can leave the door open but the day the auditor comes, you have the door locked and you pass," he says.
Not only are merchants suffering from a lack of security, but traditional financial institutions also struggle with security.
In a recent social engineering test on a bank, 30% of employees fell for the ruse of a caller pretending to be someone else that required access to their email, and provided their credentials to the attacker, Bucolo says.
These social engineering attacks have become a popular way for hackers to get access to sensitive data and, in turn, access to even more sensitive servers within a bank.
"Financial institutions are under great pressure auditors agree that there is great exposure in those systems," says Bucolo.