Some small businesses have paid a big price for data breaches in Canada – Michael D’Sa would know, he’s the senior manager of data security for Visa Canada and privy to some investigations most people aren’t.
“Things are happening here in Canada the public doesn’t know about,” he says.
In the U.S., law requires even the smallest company to disclose when customer data has been leaked out of its safety confines. In Canada those small business breaches go unreported – but that doesn’t mean they don’t happen.
VIDEO – Michael D’Sa of Visa Canada on why compliance with PCI standards is important for small merchants.
Take the case of a Toronto restaurant that was targeted by a hacker. For months, a cyber-crook unauthorizedly accessed — through a modem — the software application where the restaurant stored all of its customer credit card information.
Even worse, the restaurant had been storing the magnetic stripe information for each card – something no one is allowed to do. That made them liable for the five year’s worth of data that had been leaked and the more than $1 million in fraud that was committed. Not to mention a $17,000 charge for the forensic investigation conducted by Visa to help restore compliance.
“If you’re not accountable to be compliant, then you could be on the hook for that liability,” D’Sa says. “Most business that get compromised end up closing in six to 12 months because of the legal liability.”
Merchants are responsible for following the standards set by the Payment Card Industry (PCI) if they accept any credit or debit card payments. That includes the Data Security Standard (DSS) designed to help protect consumer’s private information.
Staying compliant could mean taking necessary technical precautions, such as running an encrypted wireless network, keeping customer data behind a firewall, updating your anti-virus software, and more. The investment might not make you money, but it could save your business from ruin if fraudsters were to strike.
Payment Card Industry DSS stipulations are “the bible for credit card transactions” that merchants must heed whether they like it or not, says Rob Burbach, senior analyst, financial insights at Toronto-based IDC Canada.
“While they seem unreasonable, they’re aren’t. You have to suck it up and do it,” he says. “Security is not something that ever makes money, it just prevents you from losing it.”
Of all the credit card data breaches in Canada for 2008, more than half of incidents took place at a food service, according to Visa Canada. About another one-quarter of the incidents took place at retail locations.
Some key things to keep in mind for compliance are to use a cross-cut shredder to dispose of paper receipts, have your data behind locked doors, and to mask credit card numbers printed on customer receipts, D’Sa says. Merchants should never store magnetic stripe data or card verification value (CVV) numbers (the three digits on the back of the credit card under your signature), and should make efforts to store as little as possible.
“How long do you need to store that data?”, he asks. “If you need it for six months, then even one day after six months that you have the data is an extra day of liability you don’t need to take.”
Merchants should also be aware that if they’re using software to process credit card payments, that application should be compliant with Visa’s Payment Application Data Security Standard (PA-DSS).
While not directly responsible for ensuring the standard is met, merchants will soon be on the hook for liability if the software isn’t compliant.
All merchants will be required to use PA-DSS compliant software as of July 1, 2010. New merchants were required to have compliant software as of Oct. 1, 2008.
Small businesses who are choosing software should have a list of questions ready to ask the vendor, suggests IDC’s Burbach. Also, the more commonly used the software, the more likely that it’s compliant.
“Look at what other people are using,” the analyst recommends. “Get an audit done and the assessor will tell you very quickly if it meets compliance standards.”
Many merchants might not be aware of the coming shift in liability, or may just not care, Burbach adds. “Some people are going to be very surprised to find out just how much fraud there is.”
For one Toronto restaurant, that revelation came about $1 million too late.