How many days go by between news stories involving computer breaches?
In the last month alone, with the Sony breach fresh on everyones mind, Anthem Inc. announced that they lost 80 million records, Chick-fil-A announced that they were investigating a potential credit card security breach, and several Marriott locations managed by White Lodging (which already had a different incident in 2013), are looking into a newly reported credit card breach.
If these were the only incidents, it would still be considered a huge amount.
However, this list fails to include the over 25 small businesses that announced breaches during the same time period. Merchants, especially small ones, wonder how they are supposed to operate their businesses effectively in the new corporate landscape which has cyber criminals attempting to steal data, especially credit cards, at every turn.
The truth of the matter is that as long as sensitive data is gathered by merchants, thieves will attempt to steal it. We are referring not only to credit card numbers, but driver’s licenses, social security numbers, or other personal or confidential information that can be sold on the black market, as well.
The crux of the issue is that many small merchants are currently unable to protect this data when faced with the ever-changing technological advancement the cyber criminals are making. Clinging to the hope of a “Silver Bullet” that can fix all their woes, merchants are hoping that as the US moves to EMV chip cards for payment (like the ones used in Europe), that credit card theft will become a thing of the past.
The credit card companies are pressuring merchants to accept this new type of payment card, and merchants who fail to upgrade will specifically be responsible for all credit card fraud after October of this year.
For more information about merchant liability, check out this link.
However, there is a misconception regarding EMV that any business accepting credit cards should understand.
With EMV cards, it is difficult to replicate the physical credit card if stolen from a merchant at the time of the swipe, similar to what happened with the Target breach. That does not mean that the transactions are safe from being retrieved by hackers.
In fact, EMV transactions still send credit card data in clear text that hackers can use for credit card fraud. Since creating fake cards is more difficult with these EMV cards, hackers steal the data from merchants and then perpetrate on-line fraud instead of in person fraud.
In other words, criminals will steal the data and then use the credit cards to purchase merchandise from those who sell goods or services on the web.
The answer is not complicated, but it does require a shift regarding how business is conducted.
Protecting data needs integration into how things run, and security measures should not be considered “add-on” components which are really outside of the core operations of the business. Security should include using up-to-date software for point of sale operations, best practices for network security such as highly secure firewalls, employee education, and testing to validate those measures in place.
A good starting point is implementing the PCI Data Security Standards. Unfortunately, many merchants find this set of requirements difficult, or impractical, to implement on their own. While it is true that PCI Data Security is complex, it is also true that there are options for managing many of the PCI components that cause small businesses so many headaches.
Much like physical security or an alarm system, experts are brought in to verify that physical inventory and cash are protected. There is no reason this should be different for electronic security as well.
There are many complicated issues when it comes to protecting sensitive data. That does not mean that you cannot find support and help to both mitigate your risk and simplify what it takes to keep your electronic data secure.
In the same way that the hacking community has grown in sophistication, so has the managed security industry. With minimal effort it should be possible to determine where you have gaps in your data and security plans, and with the right consultant you should be able to find an affordable solution to help you keep your customer’s information safe.
Hacking is the new reality, and it is up to merchants to accept the fact that in the electronic era, there is a huge amount of data that entices criminals to pay attention to what is stored.
If you cannot manage the scope of the problem yourself it is prudent to look for professional help. There are no longer options to ignore the problem and hope that you skate under the radar of the criminals.
Subscribe to Lumifi's Daily Cybersecurity News Curated by a CISO
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.