Nearly everyone is aware of credit card fraud – it’s in the news on a daily basis. Crooks are becoming more and more savvy about how they are collecting credit card data. According to the new study released by Verizon Business 96% of the victims of these attacks were subject to PCI DSS but had not achieved compliance. 97% of those breaches were avoidable through simple or intermediate controls. 79% of victims were targets of opportunity. Many businesses are aware of the requirements by the card associations however many don’t understand the importance of taking all possible steps. Taking the steps required by the credit card associations can save you a little money right away and help protect you from spending big money if credit card information is stolen from your business.
In today’s environment some reports claim as much as 80% of the credit card data that is stolen is taken from businesses. Because of this the card associations created these requirements. Often I hear small businesses tell me that they are too small and the rules don’t apply to them – which is incorrect. Any business which accepts payment by credit card is required to be PCI DSS (Payment Card Industry’s Data Security Standards) compliant.
So what does this mean? It varies depending on how you collect and transmit the data to your processor as well as the amount you process. Every business needs to have policies about how the data is handled to limit your clients’ credit card information exposure. You want to determine who handles the data, how they store it, and where. Do they keep it on their desk in a pile for input later? That could cost you thousands. You need to determine who is responsible for the different areas and if one employee thinks that another employee is doing something incorrectly or suspicious – to whom do they report it.
Do you collect data offsite? If so then what steps are you taking to maintain the storage and safe keeping of that information? Do you realize the large risk to your company? It may seem like only a few hundred or few thousand in receipts but the cost of a data loss grows quickly. There are fines which vary according to whether you are actually compliant. You are always responsible for the cost of the data breach which includes the letters to cardholders, reissuance of cards and any fraudulent transactions.
If the card associations even suspect that your business has lost credit card data, they send a forensic team to your business. They will review all the requirements. Some of the things they look for are:
• Are you using software to process your payments or do your clients pay on your website? If so, are you using an approved vendor to vulnerability test the system?
• Do you store any data? Is it encrypted or are you using tokens?
• Do you have up to date firewalls and have you changed all the administrative passwords for all of your software systems?
Don’t laugh as often people leave the administrative passwords in place so they can always recover them but the crooks know the passwords too.
Failure in any area means you are not compliant and then there are additional fees for non-compliance. Of course you are responsible for the cost of the forensic team which is easily a few thousand.
Another reason it is so important for you to be compliant and take all the required steps to reduce the risks of a data loss is the effect on your customers. Several studies have shown that 40% or more of your customers will take their business elsewhere if you lose their data. So in addition to the high monetary cost – which ranged from $35,000 to $50,000 in 2010 for small business, you lose revenue from lost customers. For 50% of those small businesses with losses in 2010 it meant bankruptcy.
Most processors offer a solution for their clients – often with some sort of protection. Usually businesses can get financial coverage to help mitigate the cost of a data loss. This coverage typically ranges from $50,000 to $100,000, however this coverage usually requires the business to be compliant or the financial coverage program won’t reimburse you for any of the costs. These programs usually cost around $100 to $200 a year for smaller businesses and the cost grows when you need more aggressive testing and have more requirements from the card associations. Don’t think it won’t happen to you as every type of business has been affected by a data loss. Some types of businesses are targeted much more than others with restaurants being a good example.
For more information or questions please contact us at firstname.lastname@example.org