Line of Business
Small firms must comply with security standards or be held "liable" for breaches
Many small businesses in Canada feel they're not a target for fraud. But they are in fact a favourite target of fraudsters – in one case, a Toronto restaurant was liable for $1 million in credit card fraud. Here's what you need to know to get compliant now and avoid business-killing fines and penalties. INCLUDES VIDEO.3/13/2009 6:00:00 AM By: Brian Jackson
Some small businesses have paid a big price for data breaches in Canada – Michael D'Sa would know, he's the senior manager of data security for Visa Canada and privy to some investigations most people aren't.
“Things are happening here in Canada the public doesn't know about,” he says.
In the U.S., law requires even the smallest company to disclose when customer data has been leaked out of its safety confines. In Canada those small business breaches go unreported – but that doesn't mean they don't happen.
VIDEO - Michael D'Sa of Visa Canada on why compliance with PCI standards is important for small merchants.
Take the case of a Toronto restaurant that was targeted by a hacker. For months, a cyber-crook unauthorizedly accessed -- through a modem -- the software application where the restaurant stored all of its customer credit card information.
Even worse, the restaurant had been storing the magnetic stripe information for each card – something no one is allowed to do. That made them liable for the five year's worth of data that had been leaked and the more than $1 million in fraud that was committed. Not to mention a $17,000 charge for the forensic investigation conducted by Visa to help restore compliance.
“If you're not accountable to be compliant, then you could be on the hook for that liability,” D'Sa says. “Most business that get compromised end up closing in six to 12 months because of the legal liability.”
Merchants are responsible for following the standards set by the Payment Card Industry (PCI) if they accept any credit or debit card payments. That includes the Data Security Standard (DSS) designed to help protect consumer's private information.
Staying compliant could mean taking necessary technical precautions, such as running an encrypted wireless network, keeping customer data behind a firewall, updating your anti-virus software, and more. The investment might not make you money, but it could save your business from ruin if fraudsters were to strike.
Payment Card Industry DSS stipulations are “the bible for credit card transactions” that merchants must heed whether they like it or not, says Rob Burbach, senior analyst, financial insights at Toronto-based IDC Canada.
Page Navigation 1) "Most business that get compromised end up closing in six to 12 months." - Page 12) "Security is not something that ever makes money, it just prevents you from losing it." - Page 2
3) Never store magnetic stripe data or CVV numbers on the back of the credit card. - Page 3
<< Back
