3 minute read
Use data security as a strategic advantage
tTl"a HIGH-PRoFILE credit card secuI rity breaches at major U.S. retailers over the last six months emphasize the prevalence of data theft and also spotlight the risks to a merchant caught unprepared for such crimes.
While the penalties and costs for a mega-store data breach can be astronomical (the price tag for Target's December 2013 event has already soared into the tens of millions of dollars), data compromises can cost a merchant well into the six-figures if the they are deemed liable for the occurence.
While these events paint a gloomy picture, there is a silver lining for small business owners. This environ- ment creates a differentiation opportunity by positioning one's company as a stalwart custodian of customer credit card information.
There is evidence to suggest that the security breach at all l,'797 Target stores in 2013 may have been perpetrated by a loose band of criminals in Russia using relatively rudimentary, "off-the-shelf' malware. Ironically enough, the corporation took preemptive measures against such tactics by adopting an expensive malware detection tool six months prior to the attack. Target had also increased their cyber security staff by almost tenfold from 2006 levels, to nearly 300 people.
What their money couldn't buy, as it turns out, was decisive, internal action. Their new watchdog vendor issued top-level warnings to the Target security team as soon as it detected the malware, yet for unexplained reasons the retail giant took no steps and stood by while data flowed out of its system. By the time the malware was finally removed, 40 million credit card numbers were compromised and presumably sold on the black market.
Gall to Action
The first step for any credit card merchant is to establish and fortify its defenses against a potential data breach by complying with rhe Payment Card Industry Data Security Standard. The PCI Security Standards Council was esrablished in 2004 by the leadership of all four major U.S. credit card companies: Visa, MasterCard, Discover, and American Express.
The council's mission was, and is, clear: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
While card issuer protection is the function of the DSS by design, the merchants are beneficiaries of it as well. In the event of a data breach, a merchant is unlikely to be subject to fines or penalties if an audit reveals that they were fully (and actually) compliant at the time of the event.
The PCI-DSS requires merchants to complete an initial self-assessment questionnaire that outlines their data security responsibilities. There are five distinct SAQs, each defined by the various credit card transaction processing methods available. Annual renewals, by means of an attestation and signature, are required to maintain this compliance.
A merchant's PCI compliance is a "snapshot-in-time" of its current methods and best practices. It is by no means a guarantee that any merchant, large or small, is immune to an information breach, nor will previous compliance provide a liability exemption if there have been changes to the manner in which their credit card transactions are processed. Therefore, it is important that merchants not only update their true PCI compliance, but continually keep IT components such as firewalls and security patches up-to-date.
Providing regular staff training in data security protocol is also a key measure in risk-management. Let the Target debacle make them the poster child for that lesson.
Positive Spin & Real Benefits
When a merchant takes an active role in data security practices, the risk of compromising customer card information is greatly reduced. Riskreduction is Small Business Best Practices 101, but unlike other pitfalls, data security breaches may involve many (if not all) of a company's customers. The consequences of such are always costly, if not devastatins.
Working with a credit card processor that understands PCI compliance and works to educate its merchants is invaluable. Using this opportunity to learn even the basics about card data security will not only increase a company's awareness of this important merchant responsibility, but will allow them to position themselves as an industry leader in the matter. Rather than competing on price alone, those businesses able to distinguish their company from the competition through value-added services will enjoy greater profits and higher customer loyalty.
Protecting sensitive cardholder data is a powerful, two-pronged differentiation tool, delivering peace of mind to customers and driving new sales to the door as weli.
- As former owner of an architectural woodshop owner (Hofmann Joinery, Hanover, Md.), Chris Hofinann represents Tiger Payment Solutions to the professional woodworking supply and machinery industry for their payment processing solutions. He can be reached at (617) 999-7 2 I 4 or chri s@ ti gerproce ssing.com.
