Could Small Businesses be a TARGET for a Credit Card Data Compromise?

Target BreachBy now we’ve all seen the headlines and are aware that Target had customer credit card data leaked.  The theft of millions of credit and debit card information has been extremely expensive to the organization and has had untold costs in future sales and customer loyalty.

Although the stolen card data from smaller businesses aren’t to the magnitude of the large chain retailers, the effects are much more devastating!  The smaller retailer just doesn’t have the resources to handle a compromise.  The cost of remedying any breach, as well as the fines and restitutions required could easily cause most small businesses into bankruptcy.

The sad part is, most business owners are unaware that they are at risk for such breaches even if only using a simple swipe terminal!

To increase awareness of risks and impart the importance of Payment Card Industry Data Security Standards Compliance (PCI-DSS), I’ve interviewed a few of my personal contacts that are experts in the field.  I’ve enlisted the expertise of both Susie Maxwell, of JDS Compliance and Rose Tarrant, Risk and Compliance Officer at Signature Card Services.

Robert:  Are dial up terminals at mom and pop shops any risk for a breach?

Susie:  The biggest risk a merchant using a dial up terminal faces is on-site, and most often involves employee theft.  Examples of this include such things as an employee using a cell phone to take pictures of credit and debit cards, or simply writing down payment card data, then either selling the data, or using it to make fraudulent purchases themselves.  There have also been instances of skimmers being placed on the card reader of the terminal, which will then collect the card data for every card swiped.

Robert:  Why do you feel it’s so important for small businesses to become PCI compliant?

Rose:  It is extremely important for small businesses to become PCI compliant for a variety of reasons especially since fraudsters particularly pray on these types of businesses. Fraudsters hope that small businesses are not PCI Compliant or well-versed on recent card brand initiatives.  Additionally, smaller businesses tend to have a larger financial impact if a data breach occurs which is approximately $50k-$100k depending on compromised data. As you can imagine, this can damage a small business or worse put them out of business.

Robert:  If they are PCI compliant certified and there’s still a breach, what could happen?

Susie:   Merchants are typically held liable for replacement card-issuing costs, fines, and can also be held liable for losses attributed to fraudulent activity on the cards compromised in the breach and fines.  It has been reported that the fines can actually represent the most substantial financial cost to a merchant in the event of a breach.  Merchants who are PCI compliant prior to a breach are generally not fined, since they have demonstrated that they have done everything possible to
safeguard cardholder data.

Robert:  What is the real risk of not becoming PCI Compliant?

Rose:  The real risk is compromising your cardholders data and opening yourself up to a potential breach which results in huge card brand fines. Also,  you may lose an opportunity to demonstrate to your customers that data protection is the utmost importance to you, your business and most importantly to your customers especially in this day and age. A real life example is the recent Target breach.

Susie:  It is important to note that in addition to the obvious financial ramifications to a merchant in the event of a breach, the ramifications of losing consumer confidence are impossible to calculate, but can be expected to be huge, particularly in cases like the Target breach.

Robert:  How hard is it for a merchant with a dial up terminal to get certified?

Rose:  It is literally easy as 1-2-3. The standard SAQ’s questions for a dial up terminal are 15-20 questions.

Robert:  What does Signature do to help with the process?

Rose:  Signature Card Services supports all merchants with a committed Compliance department that manages this process with our preferred vendor, Control Scan. Signature Card Services and Control Scan are accessible to walk a merchant through an SAQ and SCAN processes which at times can be challenging.

Hearing from these experts in the industry that work hard to protect small businesses every day, really hits home that ALL businesses face threats to their customer’s card data.  However inconvenient it may be, PCI Compliance is critical to the health of a business.  As always, it’s important to have a bankcard representative that understands that aspect of your business and has an experienced team to assist in PCI-DSS certification and breach prevention!

Robert McBeath is a Certified Payment Professional and President of Cornerstone Business Solutions.  Robert has extensive experience offering merchant services and cash advances to business owners. Visit or call him at 888.979.4731.



Death, Taxes and PCI-DSS Compliance

pci-compliance-cardMarch 15th of this year marked the 100th anniversary of the 16th amendment being ratified.  At that time, the U.S. was officially allowed to start collecting income tax.  I can only imagine how people must have felt to suddenly be forced to comply with reporting their income and paying a portion of it to the government.

I can relate because I was in the merchant services industry for a decade before Payment Card Industry Data Security Standards Compliance Rules came about.  I feel much the same way about it as I do about paying income tax.  I think most merchants that accept credit cards will agree with my opinion.  It’s complicated, we don’t like it, don’t really have the time to deal with it, but we don’t have a choice so let’s get it over with.

So, much like pulling a band aid off, let’s make this quick, cover the very basics that you need to know, and get it over with:

“What is PCI Compliance?”  Payment Card Industry Data Security Standards was created as a set of rules for all businesses that accept credit cards to protect the card holder’s data they are processing.  Essentially, the card brands want to ensure that businesses are accepting cards in a secure manner and are ultimately liable for any breaches.  Possible card holder information leaks range from employee theft of one customer’s card information all the way up to computer viruses in POS systems, and even processor hacks, such as the 2008 Heartland Payment Systems compromise of millions of transactions.  The Standards are set as a way to minimize these risks.

“As a small business, do I have to be PCI Compliant?”  Yes, whether we like it or not, all merchants are contractually obligated to not only be PCI compliant, but also be certified as such.  The ‘big four’ are very serious about this, and pushing all the processors to get their customers compliant.  As an agent, it’s my job to inform and help my customers with this mandatory regulation.

“What if my business just ignores the PCI requirements?”  Well, unfortunately many businesses do and it’s an unnecessary and severe risk to the health of a business as well as an added expense.  Most ISO’s are going to assess a business a $20 or more monthly penalty to offset the risk for being non-compliant but that’s minimal compared to where the real cost lies. The goal of meeting the standards in the first place is to identify and minimize the risk of an expensive compromise of sensitive customer information.  Any breach of data can be catastrophic to a business.  If this happens to a non-compliant business, fines range up to $500,000 and would certainly be the DEATH of most businesses.

“So what does it mean for my business to be PCI Compliant?”  A business that accepts credit cards must be certified compliant.  The PCI Security Standards Council has approved more than 130 Approved Scanning Vendors (ASVs).  These approved companies assist businesses with a Self Answer Questionnaire (SAQ) and also a network security scan for merchants that store data or are processing via an internet connection.  When all criteria is met to satisfaction, a business will be certified PCI compliant.

“Where should my business go to get this PCI Certification?”  Although in theory merchants could utilize any of the ASVs or possibly even self certify, the bank card processor is going to have a relationship with an ASV that they will want utilized.  When a merchant account is established, the provider will help establish a relationship with an ASV that will then report to them when the business is certified.  Communication may come directly from the ASV.  My personal recommendations for ASV’s are ControlScan and Justified Data Security.

“Alright then, what do I have to do to get PCI Compliant?”  The ASV will give you their website with a secure login ID and password.  Login and do the SAQ, which is a series of questions that will assess card acceptance systems and evaluate risk.  If you are utilizing a POS system or processing through an internet connection, then a scan will be required as well.  A scan is a fairly simple press of a button that will allow the ASV to remotely search for security risks utilizing their software.  When the SAQ evaluation and the scan is passed, a PDF of a certificate is provided.  If utilizing the ASV recommended by the processor, they will automatically be notified and their systems will be updated.

“What if I need help with my SAQ?”  The ASV will provide you a phone number to their qualified customer service agents that can even help walk a merchant through the questionnaire quickly.   Unfortunately, neither the agent nor the bank card processor customer service can help with these issues as they are not approved vendors by the PCI Security Council.

“How much will this PCI Compliance cost?”  Pricing varies among ASVs and services required.  A small business can expect to be charged between $79 a year to $29.95 quarterly.  Although services come from an outside vendor, usually charges will come through the merchant account and will show up on the merchant statement.

“I have to do this PCI Compliance Questionnaire every year!?!”  Yes.  Being PCI Compliant is not a onetime event.  Security is an ongoing responsibility for merchants accepting cards.  Every year businesses will be contacted to re-validate their status.

Okay, that’s PCI in a nutshell.  Now, if you’re the type that likes paying taxes and find tax code interesting, you might also appreciate much more detailed information on PCI Security Standards by going directly to the official Security Standards site.

%d bloggers like this: