With each news report of large-scale customer data breaches, small business owners have been left wondering how they can protect themselves and their customers from falling victim to credit card fraud. At the same time, they’re grappling with the implications of the upcoming migration to EMV technology on credit cards. By implementing strong security measures and preparing now for the October EMV deadline, small business owners can minimize security threats and ensure their on-time compliance with the new standard.
For businesses in general and small companies in particular, customer relationships are built on trust. That’s why news reports about hackers exposing personal and financial data are so unsettling: from the customer’s perspective, that trust has been betrayed—and for the affected business, rebuilding that trust can be a painful, time-consuming process.
The last thing a company on a growth path needs is the combination of bad publicity, lost business, and lost staff hours caused by a data breach. While nothing can offer absolute protection against hackers, there are steps you can take to protect and preserve your company’s hard-won customer and vendor relationships, reputation, and prospects for sustained profitability and growth.
2. Taking care of business basics
The good news is that many security steps are easy to implement. That’s because most cyber criminals aren’t looking to exert themselves—they go after the low-hanging fruit, says Troy Leach, chief technology officer of the PCI (Payment Card Industry) Security Council, which promotes education and awareness of PCI security standards. During the past five to ten years, “the vast majority of vulnerabilities were actually very simplistic,” he says. “Somewhere between 92 and 99 percent of the breaches were known vulnerabilities that had been in existence for more than a year. We need to raise the bar and eliminate those simple things, and that will help move the needle on security.”
Passwords are one glaring example. Although in theory we all know better by now, Leach notes that the most common one in use is still “password.” If you can’t come up with something more difficult to crack than that, your password might as well be “welcomehackers.” But “probably the greatest human error element” is that many merchants don’t know where they have their cardholder data stored, he says. “Security equals the technology, the people, and the process they put in place to manage that technology.” As an extension of that thought, he notes that small businesses often store cardholder data that they don’t need to retain. If you don’t need it, don’t store it—and just like that, you’ll eliminate the risk of having that data breached.
Another common mistake among small business owners is to look for ways to economize on data security. This is not an area in which you want to rely on the services of your neighbor’s son, who is in his junior year as an IT major and has always been great with computers, Leach cautions. The same is true of your software, which should be secure, tested, and from a known and reliable vendor.
3. E-commerce and emerging trends
As you’ve probably noticed, some of your customers are using credit cards that are equipped with chips. To process chip payments, you need a chip-enabled terminal from your payment services provider, which can also help you to understand the steps you need to take to become chip-enabled. Your business is required to be ready for this migration by October, so if you haven’t started, do so now.
“Small and medium-sized merchants need to get informed. They need to do some research about what these changes are and how it’s going to affect them,” says Randy Vanderhoof, director of the EMV Migration Forum and executive director of the Smart Card Alliance. “Contact your bank, your processor, or whoever you have as your support for your payment device, and ask them about their ability to set you up for an EMV-capable terminal.”
When the new devices are delivered, he adds, “take the time to test them internally and learn about them before you turn the entire operation live, so that you have proper time to educate yourself and any employees about the changes at the terminal. Don’t create an environment where consumers are looking for your assistance to learn how to use their cards, and you are not familiar enough with the card or the technology to be able to complete the payment transaction.”
As that migration occurs, strong encryption will be more important than ever for businesses engaged in e-commerce. That’s because with the move to the EMV chip, “criminal activity is going to migrate to what is know as 'card-not-present' fraud—situations such as mail order, telephone order, and specifically, e-commerce, where the card is not physically presented by the customer,” Leach says. “So we need to be very diligent in recognizing that e-commerce merchants of any size are going to be a higher target for criminal activity very shortly. What they can do to protect themselves is find ways to encrypt that data immediately, as it’s received from their customers, in order to limit the access to that information.”
If you’re using a cloud storage service, he adds, make sure you know where your data is being stored and how it’s being protected. And he advises taking a long-term view on your investment in new terminals: “Do the cost-effective thing of future-proofing your terminals and looking at buying not only for EMV, but for point-to-point encryption. If you do that, you’re going to have a better chance of having a longer return on your investment in new terminals.”
4. Planning for the worst-case scenario
Of course, no matter how much you prepare, and no matter how good your firewalls and security are, you can’t make your small business invulnerable to hackers and malware. “The latest statistic I read was that more than 80,000 new variants of malware are introduced every single day, so it’s very hard to keep pace with that,” Leach says. “But a great defense is to continue to monitor and scan for vulnerabilities in your network.”
In addition, he advises business owners to create an incident response plan. “It doesn’t have to be complex. It just has to include the basics of who you contact. What’s your basic mode of operation? What are the procedures that you need to be aware of?” The plan should also include a list of website resources so you don’t have to search for those addresses when you need them. Depending on where your business is located, your home state may stipulate certain data breach requirements for notifying your customers, so it’s a good idea to be aware of those in advance, as well. “You’ll be in a much better position and less stressed by having all of these resources readily available, knowing where to turn, and who to seek advice from.”
Understanding the issues and developing best practices in cybersecurity can be challenging for small business owners who are not specialists in these areas. But by seeking expert advice and developing your company’s strategy for managing data, you can reduce your risk of a breach, protect your customer relationships, and prepare your company for a more secure and successful future.
To learn more about cybersecurity, the upcoming EMV chip migration, and what your small business needs to do to meet its obligations to customers, consult these online resources.
Ten Cybersecurity Tips for Small Business is an online resource published by the Federal Communications Commission (FCC) to help small business owners “protect themselves, their customers, and their data.” http://www.fcc.gov/cyberforsmallbiz
The FCC’s Small Biz Cyber Planner 2.0 is “an online resource to help small businesses create customized cybersecurity plans.” http://www.fcc.gov/cyberplanner
This United States Computer Emergency Readiness Team page provides information you can use to learn more about cybersecurity and steps you can take to protect your small business. https://www.us-cert.gov/home-and-business
Check StaySafeOnline, a resource of the National Cyber Security Alliance, for resources that can help you “protect your business, employees, and customers from online attacks, data loss, and other threats.” https://www.staysafeonline.org/business-safe-online/
The PCI (Payment Card Industry) Security Standards Council is “an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards.” Its website includes a variety of resources developed specifically for small business merchants, including:
• PCI for Small Merchants https://www.pcisecuritystandards.org/smb/https://smallbusinessonlinecommunity.bankofamerica.com/
• Protecting Your Customer’s Data from Malware https://www.pcisecuritystandards.org/pdfs/PCI-MalwareFinal-2.pdfhttps://smallbusinessonlinecommunity.bankofamerica.com/
• Top Ten Tips for Protecting Against Card Fraud https://www.pcisecuritystandards.org/pdfs/PCI-Top-Ten.pdfhttps://smallbusinessonlinecommunity.bankofamerica.com/
The Smart Card Alliance, “a not-for-profit, multi-industry association working to stimulate the understanding, adoption, use, and widespread application of smart card technology,” created the EMV Connection website “to assist all industry stakeholders with EMV migration.” Its merchant page covers everything “from EMV basics to detailed guidance on what merchants need to consider to develop the roadmap to accept EMV cards and devices.”
The EMV Migration Forum and the Payments Security Task Force developed GoChipCard.com “to assist consumers, merchants, and issuers with the migration to chip technology.” Resources on the site include training FAQs, a training infographic, and a guide to communicating best practices, all available via links at the bottom of the merchant page. http://www.gochipcard.com/merchant/
Bank of America, N.A. engages with Inc. to provide informational materials for your discussion or review purposes only. Inc. is a registered trademark, used pursuant to license. The third parties within articles are used under license from Inc.. Consult your financial, legal and accounting advisors, as neither Bank of America, its affiliates, nor their employees provide legal, accounting and tax advice.