In around 70 per cent of visa security breaches, the victims have been smaller retailers, a Visa Canada executive says.
In recent years, criminals have been targeting smaller businesses, said Mike D’Sa, Visa Canada’s senior manager of data security and investigations.
“The criminal element has realized larger companies are more secure now so they’re preying on the smaller [ones].”
Most small retailers, he said, just don’t have the resources to rebound back and regain customer confidence.
And loss of customer confidences is arguably the most damaging consequence of a data breach – especially for a small business.
There’s a strong link between a retailer’s reputation for protecting card account information and consumer willingness to shop with them, according to a survey by Javelin Strategy & Research. Based in Pleasanton, Calif., Javelin’s research focuses on the financial industry.
Only 20 per cent of those polled indicated they would continue shopping at a store if they learned it was the victim of a data breach that may have compromised their card account information.
Seventy-eight per cent said they would be unlikely to shop there any more.
Aside from a loss of customers, businesses also have to deal with unflattering media reports, fines, and potential legal action.
While there are countless security technologies available on the market – experts say even more important is adopting good data management practices.
“Know your data – what you have, where it is, and why you have it,” suggests Rosemary Jay, a partner at Pinsent Masons LLP, a law firm in London, U.K., where she specializes in privacy, confidentiality, data protection, access and related information law issues.
Businesses should also limit the number of people who have access to data, says Jay, who is author of Data Protection Law & Practice.
“Scope for abuse is wide, as data can be used in so many ways. Identity theft is one of the main abuses – where people’s details are ‘stolen’ and are used to [obtain] credit or state services.”
Visa Canada has recently released a brochure on ways small businesses can safeguard customer data.
The brochure offers suggestions on how to protect data, how to identify if your business is at risk, as well as information on the best practices of small businesses in the area of data security.
D’Sa shares his top ten tips on how to safeguard your business’ sensitive data.
1. Comply with PCI Data Security Standard – If you accept card payments, you must comply with the Payment Card Industry Data Security Standard, which sets requirements for protecting sensitive transaction information.
D’Sa says a lot of small businesses don’t see themselves as a target due to the size of their organization, but it’s a standard all businesses should comply with.
The standard, supported by major payment card brands, has been in place since 2004, and provides effective tools to protect against cardholder data exposure and compromise. It consists of 12 basic requirements for safeguarding account data, supported by more detailed sub-requirements.
2. Check your point-of-sale (POS) systems – Small businesses using commercial POS systems or payment software should contact their vendors to determine if these systems are storing data that they’re not supposed to retain after transaction authorization.
“A lot of these smaller retailers are still using computers and software applications but don’t understand the inner workings of the software. In a lot of the cases it’s not secure, stores data it shouldn’t be storing, and can be easily hacked over the Internet,” said D’Sa
He said the system should not store chip, magnetic stripe data or the CVV2 (the three digit number on the back of the card). If it does, these data elements must be removed immediately, including any historical data that has been stored in a database or log files.
Prohibited information, such as the data in the credit card magnetic stripe, if stolen, it can be replicated to create another credit card.
“That’s very lucrative right now. Visa has prohibited the storage of that information,” says D’Sa.
3. Minimize Data Storage – Data that’s allowed to be stored – cardholder’s name, primary account number, expiration date and service code – should only be stored if needed, and should must be protected in accordance with the PCI DSS.
“Get rid of it once you no longer need it,” suggests Jay.
Small businesses can also decrease their risk by only storing cardholder data if it is needed to perform a business functions. If you don’t need it, don’t store it!
“By eliminating sensitive data and protecting the remaining data you’re 90 per cent of the way there,” he said, “The remaining 10 per cent comes from other controls such as firewall, intrusion detection, anti-spyware, anti-virus and so forth.”
4. Encrypt or truncate your data. Small businesses should carefully evaluate whether they are required to store full account numbers after a transaction has been authorized.
In many cases, small businesses may be able to fulfill their business requirements on some or all of their systems by retaining only a shortened portion of the account number, such as the first six and last four digits.
Small businesses that have to electronically store full account numbers for business needs, must find a way to make the account number unreadable through other means, such as encryption.
Also, account numbers transmitted over the public networks, such as the Internet or wireless, must be encrypted during transmission using technology such as SSL (secure sockets layer).
5. Check your settings and passwords – Hardware and software products come packaged from vendors with pre-set passwords and settings. Any default or blank settings and passwords should be changed prior to deployment into production.
“Change your PINs every six months, don’t use the same passwords, don’t give data if you don’t absolutely have to, and shred your own documents regularly. Recognize that your digital identity is a precious possession you need to manage and protect,” said Jay.
You should comply with current industry standards for storing passwords. Any default settings should be modified immediately.
He said employees logging into the computer system should only have limited access. “Ensure they all have unique IDs and passwords so they can be held accountable for all their actions on that computer system.”
6. Prevent employee fraud – Your business policies should be designed to prevent scams involving employees. As part of this, physical access to information, whether it resides on a computer or a file drawer, should be restricted.
Only those employees with a business need should be permitted access. Data files, paper files and laptops are all portable. Without controls in place, this information can quickly disappear.
“Ensure you know who you are hiring, do a criminal background check. In a lot of the cases we’ve seen that involved an internal breech, the employee did have a criminal background,” said D’Sa.
Scams can sometimes occurs, says Jay, when a small businesses engages with a marketing company, for example, to improve its business sales.
“Never give away or disclose data that you do not have to. Ask why organizations need particular things if they do not appear obvious. Refuse to give it and see whether they come back and explain why they need it. Check your credit file. Tell companies once you no longer intend to deal with then and make them remove their records.”
7. Replace missing or outdated security patches – When it comes to updating security patches, speed is essential. Many vendors today offer automated alert services that provide prompt notification to their clients. Some vendors also provide automated patching mechanisms.
If a patch cannot be applied immediately, other precautions to reduce this risk should be implemented. Also carefully monitor all affected systems should there be a breech.
Small businesses should establish software upgrade policies and procedures to ensure patches are reviewed and installed in a timely manner.
“We have a Web site listing that merchants can check to see if the software they’re running is compliant with our security standards,” said D’Sa.
8. Use and regularly update anti-virus software – Many vulnerabilities and malicious viruses can enter the network via employees’ e-mail activities. Anti-virus software that receives frequent updates must be used on all systems susceptible to being infected by viruses and malicious software.
9. Be careful with your documents – All sensitive material – including faxes, email, photocopies and traditional mail – should not be “left laying around”. Be sure to lock them in the appropriate file cabinets or desk drawers. Sensitive data that is being thrown out should be shredded prior to disposal.
“We still have criminals doing ‘dumpster diving’ and stealing drafts that way. If your garbage has been stolen, that’s a concern as well.”
D’Sa said missing receipts and retail drafts is cause for concern. Ensure that you’re disposing of paper drafts securely by shredding.
“If you get junk mail you don’t expect, ask where they got your name and check who is selling it,” said Jay.
10. Regularly test security systems and processes – Many small businesses perform little or no regular testing on the adequacy of the security controls that protect their network and Web site applications.
“You want to monitor your computer system. Make sure there’s no tampering or extra devices put on those terminals,” said D’Sa.