A Cautionary Tale and an Opportunity
The high-profile credit card security breaches at major U.S. retailers over the last six months emphasize the prevalence of data theft and also spotlight the risks to a merchant caught unprepared for such crimes. While the penalties and costs for a mega-store data breach can be astronomical (the price tag for the December, 2013 Target event has already soared into the tens of millions of dollars), data compromises can cost even a small business well into the six-figures if the merchant is deemed liable for the occurrence. While these events paint a gloomy picture, there is a silver lining for the small business owner. This environment creates a differentiation opportunity by positioning one’s company as stalwart custodians of customer credit card information.
There is evidence to suggest that the security breach at all 1,797 Target stores in 2013 may have been perpetrated by a loose band of criminals in Russia using relatively rudimentary, “off-the-shelf” malware. Ironically enough, the corporation took preemptive measures against such tactics by adopting an expensive malware detection tool six months prior to the attack. Target had also increased their cyber security staff by almost tenfold from 2006 levels, to nearly 300 people. What their money couldn’t buy, as it turns out, was decisive, internal action. Their new watchdog vendor issued top-level warnings to the Target security team as soon as it detected the malware, yet for unexplained reasons the retail giant took no steps and stood by while data flowed out of its system. By the time the malware was finally removed, 40 million credit card numbers were compromised and presumably sold on the black market.
Call to Action
The first step for any credit card merchant is to establish and fortify their defenses against a potential data breach by complying with the Payment Card Industry Data Security Standard. The PCI Security Standards Council was established in 2004 by the leadership of all four major U.S. credit card companies; VISA, MasterCard, Discover, and American Express. The Council’s mission was, and is, clear: to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. While card issuer protection is the function of the DSS by design, the merchants are beneficiaries of it as well. In the event of a data breach, a merchant is unlikely to be subject to fines or penalties if an audit reveals that they were fully (and actually) compliant at the time of the event.
The PCI-DSS requires merchants to complete an initial Self-Assessment Questionnaire that outlines their data security responsibilities. There are five distinct SAQs, each defined by the various credit card transaction processing methods available. Annual renewals, by means of an attestation and signature, are required to maintain this compliance.
A merchants’ PCI compliance is a “snapshot-in-time” of their current methods and best practices. It is by no means a guarantee that any merchant, large or small, is immune to an information breach, nor will previous compliance provide a liability exemption if there have been changes to the manner in which their credit card transactions are processed. Therefore, it is important that merchants not only update their true PCI compliance, but continually keep IT components like firewalls and security patches up-to-date. Providing regular staff training in data security protocol is also a key measure in risk-management. Let the Target debacle make them the poster child for that lesson.
Positive Spin and Real Benefits
When a merchant takes an active role in data security practices, the risk of compromising customer card information is greatly reduced. Risk-reduction is Small Business Best Practices 101, but unlike other pitfalls, data security breaches may involve many (if not all) of a company’s customers. The consequences of such are always at least costly, if not devastating. Working with a credit card processor like Tiger Payment Solutions, that understands PCI compliance and works to educate their merchants, is invaluable. Using this opportunity to learn even the basics about card data security will not only increase a company’s awareness of this important merchant responsibility, but will allow them to position themselves as an industry leader in the matter. Rather than competing on price alone, those businesses able to distinguish their company from the competition through value-added services will enjoy greater profits and higher customer loyalty. Protecting sensitive cardholder data is a powerful, two-pronged differentiation tool, delivering peace of mind to customers and driving new sales to the door as well.