How to Protect Your Business From a Data Breach
4 Common Ways Data Breaches Occur and How to Stop Them
In today’s high-tech, hyperconnected world, the unfortunate reality is that data breaches are becoming a widespread problem.
In 2013, the nation’s number two general merchandise retailer, Target, announced that 40 million customer records—including credit and debit cards—were stolen during the busy Thanksgiving to Christmas holiday shopping season.
After further investigation, Target revealed that an additional 70 million records were compromised, totalling a catastrophic 110 million customer records.
Immediately after, on Jan. 11, 2014, Neiman Marcus announced that it too suffered a data breach, with some estimating that about 1.1 million customers were affected.
Most recently, P.F. Chang’s China Bistro made headlines when they announced they too suffered a data breach involving customers’ credit and debit cards.
In 2012 alone, 621 confirmed data breaches were reported in the United States, resulting in the theft of over 44 million sensitive consumer records—including millions of debit and credit card account numbers.
The average organizational cost of a data breach is an astonishing $5,400,000 with a $277 average cost per stolen record.
Given that many merchants rely on credit cards as a means to accept payments, it is very important to make sure you are securely accepting these cards and not exposing your company to a potential breach. (Sources: Ponemon Institute, 2013 Cost of Data Breach Study, May 2013; Verizon RISK team, 2013 Data Breach Investigation Report, April 2013; First Data Corporation.)
By no means am I a data breach or PCI compliance guru, but as the CEO of a company that (with our partners) processes well over a billion dollars in credit cards sales, I have a firm understanding and a “close to home” feeling of what could happen.
Remember, it’s not just credit cards that need to be protected, but any data about a customer, like her birth date or address.
Just how do breaches happen? Here are the four common ways they happen:
This is when hackers misuse or break into a system with the intent of stealing data. Your data can be hacked whether it’s stored locally on your own network like with Target, or if it’s stored with a software provider like was the case with CCO.
This represents the majority of fraud that takes place today.
This is most prevalent at gas stations, ATMs, and restaurants, but I could see this as an area of weakness for in niche industries, such as limo operators who allow chauffeurs to process credit cards in vehicles.
In this case, skimming can happen by either an employee, contractor, or fraudster adding a skimmer to the hardware (a small electronic device) to swipe and store card numbers.
Using skimming techniques, thieves can gather account information, PINs, and even CVV2 numbers. While it’s the least likely to happen, you should understand your possible exposure if you have mobile card readers or even tablets that capture customer data.
This most often is either theft from customers or the business itself by a rogue employee. Keep in mind that employees (or contractors) who take reservations or have access to credit cards could steal this data and abuse it.
In most cases this is easier to trace, but it’s your company that’s on the line.
One of the methods recently made public by several large high profile breaches is from something called Malware.
Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
It comes in many forms, including viruses, Trojan horses, spyware, adware and in some cases legitimate software containing harmful bugs.
Target CEO Gregg Steinhafel said the company had established that its POS machines were infected with malware.
For quite some time, cyber criminals have been targeting consumer data entered in POS systems.
In some circumstances, cyber criminals deliver malware which acquires card data as it passes through a POS system, eventually pulling the desired data back to the criminal.
Because POS systems are connected to computers or devices, they are often able to access the internet and email services.
Malicious links or attachments in emails, as well as malicious websites, can be accessed and malware may subsequently be downloaded by an end user of a POS system.
How Can You Protect Yourself?
Skimming is the easiest to protect against. It all comes down to who has access to the hardware. If you have trusted employees using the hardware in the field, then make sure they keep it in their possession and only hand it to the client for payment.
The only real way a skimmer can be added is by your internal staff or a client who has enough time to install it.
I would focus on making sure you fully trust any employee who has credit card processing hardware, and that they never leave this hardware in the hands of customers any longer than necessary.
Like skimming, insider fraud is also an area that can be prevented by keeping close tabs on those who have access to accounting or money. Believe it or not, you do need to watch over all employees who have access to sensitive data—even if they are friends or family.
Your software will often allow you to set parameters of access. If you have a new hire running cards, for example, you may want to control his settings so that he cannot run refunds.
That way he doesn’t have the capability to either make a mistake, or fraudulently add money to his own or a friend’s credit card.
I encourage all merchants to abandon the idea that it cannot happen to you, as it can and does daily.
With network intrusion, start by determining if you host and store sensitive data, or if you rely on a software or cloud-based solution.
If you are hosting, you need to religiously follow the security standards set by the Payment Card Industry Data Security Standard (PCI DSS) Council.
Based on your level of PCI you will have different standards and self assessment questionnaires to follow in order to be compliant; however, all standards are set to minimize the potential risk and should be taken very seriously.
Additionally, you should ensure whoever manages your IT has the most impenetrable firewalls and any needed patches to protect from intruders—this will need to be monitored continuously.
I highly suggest if you host data that you hire a professional who specializes in ensuring your systems are secure and is very educated on PCI compliance and data theft.
If you are relying on an external or cloud-based software system, generally that company holds the risk in a data breach.
Most modern software systems are set so operators simply pass data (often times encrypted) through a secure channel, which shifts the storage of data and the PCI compliance to the software provider.
This is recommended and eliminates a data breach that can fall directly on you.
There are some software solutions that have completely removed themselves from the scope of PCI by using a gateway or middleware that encrypts or tokenizes the cardholder data upon receiving it from the operator, and in this case, this is the most secure way to process credit card information.
In any case, you (and your IT professional) should consult with your provider to fully understand their security measures as well as your own exposure.
Before it Happens to You
If a data breach occurs on your internal networks or at your place of business, it can literally put you out of business.
The fines and audits alone can range up to six figures, not to mention the costs of replacing all cards that got compromised, the legal consulting and forensic fees, as well as clients losing faith in your business.
Even if the breach was a rogue employee, it is still your company’s good name—and finances—on the line.
In my career in the merchant services industry, I have seen more than a handful of clients go out of business due to a security breach being traced back to their companies.
If it occurs outside of your internal infrastructure and within a third-party reservation system, you still want to ensure you are following all PCI compliance standards, which can be found by speaking with your credit card processor or on the PCI Security Council website.
You want to make sure you are not storing any cardholder data on your own systems, as this can have a trickle-down effect during a forensic audit.
If you are dragged into a breach and it is determined that your business was one that was compromised, then you will be subject to all the bad that comes from such.
Now is a good time to analyze your business and tighten up any loose security measures.
Use this scenario as a positive to “check your oil” and ensure you are doing the most you can to protect against something like this happening to you.
Data Breach Protection
Another option that I highly suggest all merchants do is carry data breach protection. This is generally offered through your credit card processor and you can be covered for damages of up to $50,000-$100,000, based on your business.
Data breach protection policies generally range from $75-$300 per year, which is a small investment to protect your business—especially given how much it can cost your company.
Data breaches have changed how we all manage our customers’ personal and financial information. Thieves target businesses, no matter how big or small, so the best protection is prevention.
Don’t think you are immune to theft as it can be right under your nose. Your customers are relying on you to keep them safe, and that includes their data.
To learn more about getting a data breach protection policy for your business, please fill out the form below and one of our friendly experts will help you out.