It's getting a lot trickier for small-business owners to keep
customers' credit card information safe from criminals. Still,
there are steps you can take. They're not free, but if you consider
the damage a security breach can inflict on your business, they're
usually a worthwhile investment.
You need look no further than the headlines to see how
widespread data security problems have become. In the autumn of
2012, thieves reportedly hacked the point-of-sale systems at 63
Barnes & Noble stores in nine states, leading to an FBI
investigation. The bookseller turned off all 7,000 keypads in its
stores and found that only one keypad in each store had been
hacked. Nevertheless, the company removed all 7,000 of them.
Not long after that, the Israel-based firm Seculert identified a
type of malware called Dexter, which steals customer data from
retailers' POS systems. It hit check-outs in 40 countries, with
hotels, shops, restaurants and parking providers all affected,
according to Seculert.
Small business = big target
Although big business might seem like the most lucrative target for
fraudsters, small companies are particularly vulnerable, say
experts. Often, owners are so busy running day-to-day operations
that they skimp on security measures -- until it's too late.
"They tend to think security and data breaches are not their
problem, because they're too small," says Julie Conroy, director of
research at Aite Group, a Boston-based research and advisory firm.
"What we've seen is that the organized criminal rings are focused
very heavily on the smaller merchants," she says.
Verizon's 2012 Data Breach Investigations
, which covered 2011, found that there were 174 million compromised
records around the globe, the second highest total since the report
was launched in 2004 -- after hitting a record low of just 4
million in 2010. Verizon bases the report on the results of paid
forensic investigations it has done into various types of hacking,
including attacks involving POS systems.
The report attributed the increase in data theft to civil unrest
in the US and abroad, which has led to "hacktivism" aimed at
embarrassing corporate victims. Another reason for the increase has
also been a tendency of criminals to automate high-volume attacks
against weaker targets, according to the report.
Cost of crime
The price of being victimized can be high. LexisNexis Risk
Solutions found in its 2012 "True Cost of Fraud" study that
one-third of consumers will change where they shop if they have
been victimized in a fraudulent retail transaction. Merchants now
pay $2.70 in lost and stolen merchandise for every $1 of fraud --
up from $2.30 in 2011. For small merchants, the costs are steeper:
$3.10 for every $1, up from $2.70 in 2011
Typically, says Conroy, card-issuing banks spot fraud after
noticing a pattern of consumers calling about charges they did not
make and detecting that they had all patronized a particular
business. However, spotting such a fraud can take a while at a
small business that doesn't do a high volume of credit card
transactions -- a reality that criminals recognize and exploit by
racking up fraudulent charges quickly. "They will hit hard and they
will hit fast," says Conroy.
If the bank ultimately traces a breach to a merchant's failure
to comply with the Payment Card Industry Data Security Standard --
a set of industry rules to avoid fraud -- the merchant can be fined
as issuers pass along their losses, she says.
"Sometimes, these fines can put them out of business," says
Conroy. "For a small breach, it will be in the hundreds of
thousands of dollars. For a big breach, it will be in the
millions." Some larger breaches have resulted in criminals
penetrating the POS system of multiple stores with the same
ownership, magnifying the losses, she notes.
Protect your data
Fortunately, there is a lot merchants can do to protect themselves
from common types of fraud, such as theft of customer information
through POS malware. Verizon's report notes that most of the
breaches it covered were preventable.
At the most basic level, retailers should make sure that when
they hire an integrator to install their POS system, that the
installer changes the default password. It should be something
unique, not the stock password that the installer uses with all of
his customers, says Chris Pogue, director of incident response at
Trustwave's SpiderLabs, a Chicago-based ethical hacking firm that
helps clients avoid criminal attacks. "The easiest way to do that
is change your password," he says.
Other key steps are changing the port for remote administration
tools such as LogMeIn that are used by the vendor who services the
network -- and using a firewall to restrict access to the network,
according to a white paper from Trustwave. Disabling access and
requiring a vendor to get permission to use it when needed can also
prevent breaches that might occur if access were open all the time,
Security as deterrent
Determined hackers may be able to get around passwords, but many
won't bother. "The attackers are smart," says Pogue. "They have
quotas just like anyone else does. They have to compromise a
certain number of systems. If they've got to fiddle and futz around
with yours and the guy next door isn't doing anything, they're
going to leave you alone and go to the guy next door."
For many merchants, the most cost-effective preventive measure
is using the POS security system that their card issuer offers,
says Conroy. Some, like Visa, offer end-to-end encryption, which
encrypts customers' data during a swipe and decrypts it at its
destination. It's often possible to pay a small monthly fee to add
this service to an account, says Conroy.
It's also important for merchants to keep their POS software up
to date, says Jerry Irvine, chief information officer of
Schaumberg, Ill.-based consultancy Prescient Solutions, and member
of the National Cyber Security Task Force. "[Updates and patches]
are things that companies put out to keep viruses and hacking from
occurring," he says. While many retailers like the convenience of
wireless networks, it's best to avoid using them to connect a POS
system if you can, Irvine advises.
Separate surfing from selling
Retailers who use a PC-based terminal should avoid using it for
email, which can carry malware. Likewise, make sure that employees
do not use it to surf the web, say experts. "Separate it from the
computers used in the store," says Walter Pearce, principal
security researcher at the cyber security firm Casaba in Redmond,
Wash. He says it should be secured 24/7.
It's also important to make sure that devices haven't been
inserted into card readers to steal customer information. You can
feel for the devices yourself or have a trusted worker do it. "Have
your employees put their hand in the part you put your credit card
in," advises Irvine. "Does it have any extra plastic?" Often, it's
a good idea to sign up for a service contract from your POS system
vendor so that someone who is knowledgeable about swiping devices
can inspect them regularly, says Pearce.
Stores with self-checkout stations can be especially vulnerable
because cashiers may not be keeping an eye on them. In 2011, more
than 20 Lucky stores in California were victimized in a skimming
scheme in which devices were inserted into self-checkout stations.
At the time, the chain announced that the devices grabbed
information from both customers and employees and that money had
been stolen from some of their accounts, according to published
The enemy within
The most basic security begins with the people you think you know.
Make sure that cashiers scan cards in the presence of customers, so
that rogue employees can't surreptitiously scan cards on their own
devices and steal the data, Irvine adds. "Internal theft and
hacking is always the most prevalent," he says.
To prevent breaches, Pearce recommends using security cameras to
monitor computers and other devices in a POS system -- particularly
after hours. An unscrupulous janitor who has access to the premises
when no one is around might otherwise be able to add a device to a
credit card terminal undetected, he notes.
Some criminals have gotten so bold that they have impersonated
computer service teams to enter stores in broad daylight. It's
important to ask questions if repair personnel you don't know make
an unexpected visit, notes Conroy. "Employees need to be aware of
people who come into their store to service their machines," she
says. "They need to be asking for credentials." That may seem
extreme but given the potential cost of fraud, experts say steps
like this are well worth it.
Convenience fees: When is it OK to charge extra to
use a credit card?
Credit card surcharges now allowed