The holidays are coming, bringing heightened anticipation. Families look forward to time together, children can’t wait for presents, merchants envision boosted sales and criminals dream of a wealth of unprotected data just waiting to be hacked.
Retailers are especially susceptible to data breaches as transaction volume increases during this season, and small businesses are among the most vulnerable. According to the Payment Card Industry (PCI) Security Council, 60 percent of small businesses have experienced a cyber breach and 71 percent of hackers target companies with less than 100 employees. Understanding the threat is the first line of defense, with brokers serving as risk management partners to bring awareness to threats and steps to protect their clients’ businesses.
As the 2017 holiday season approaches, now is an ideal time for brokers to encourage clients to reexamine their payment processing systems. In 2016, cyber breaches cost small businesses nearly $21,000 on average. Helping clients to understand risks and liability associated with payment processing and the necessary steps to mitigate these risks will make brokers invaluable partners in combating fraud and keeping the joy in this holiday season.
Here are some reminders for brokers to share with clients heading into the busy holiday season:
EMV Chip Technology has reduced point-of sale fraud, but hasn’t eliminated retailer risks.Unlike magnetic-stripe cards (whose unchanging data can be a prime target for counterfeiters), EVM chip cards create a unique transaction code every time they are used for payment. The implementation of the EMV global standard for computer chip cards and their authentication has dramatically curbed POS fraud, but it has certainly not eliminated the risks of data breaches.
EMV Chip Technology alone is not enough; PCI compliance is a must.First introduced in 2004, the Payment Card Industry Data Security Standard (PCI DSS) recommends that any company that accepts payment cards host data securely with a PCI-compliant hosting provider. The PCI Security Council has outlined basic security steps to protect retailers against risks. Here is an overview of some that might be overlooked:
- Protect card data and only store what is needed – Retailers should ask their payment terminal vendor or merchant bank where their systems store data and whether payment processing can be simplified. If possible, card processing should be outsourced to a PCI Data Security Standards compliant service provider.
- Make data useless to criminals – Card data shouldn’t be stored. If clients do need to store data, they should be advised to employ tokenization or encryption technologies that make card data useless if stolen. Devices that encrypt card data at the dip or swipe using a point-to-point encryption solution are ideal. Data should be encrypted at the point of transaction, not after it has been processed.
- Chose PCI Compliant Equipment and Vendors – Merchants should ensure that their payment terminal or device is on the List of PCI Approved PTS Devices, and that it supports “EMV chip.” In addition, payment software should be on the List of PCI Validated Payment Applications, and qualified professionals should be utilized.
Retailers should be advised to inspect payment terminals for tampering, install patches from vendors, and use anti-virus software set to update automatically, scan for vulnerabilities and fix issues. Although vendors are responsible for installing and servicing payment processing equipment, ultimately it is the merchant who is held liable in the case of a breach. Brokers should help retailers understand contract terms with outsourced payment vendors to ensure that they are covered.
- Protect in-house access to card data – Access to payment systems and unencrypted card data should be limited to only those employees that need access, and only to the specific data needed to do their jobs. Businesses (such as restaurants and gas stations) that require cards to be processed out of the customer’s sight need to be especially vigilant. Employee background checks and specific training, especially for seasonal employees, will help to safeguard against the risk of stolen customer data.
Even after converting to EMV Chip Technology and becoming PCI Compliant, brokers must remind clients that risks still exist. As a rule of thumb, the more features a payment system has, the more complex it is to secure. Extra features such as wifi and security cameras provide easy ways for criminals to steal customer card data. Merchants should be advised to keep web access separate from card processing terminals. The simpler a retailer’s environment, the easier it is to reduce risk.