Could Small Businesses be a TARGET for a Credit Card Data Compromise?

Target BreachBy now we’ve all seen the headlines and are aware that Target had customer credit card data leaked.  The theft of millions of credit and debit card information has been extremely expensive to the organization and has had untold costs in future sales and customer loyalty.

Although the stolen card data from smaller businesses aren’t to the magnitude of the large chain retailers, the effects are much more devastating!  The smaller retailer just doesn’t have the resources to handle a compromise.  The cost of remedying any breach, as well as the fines and restitutions required could easily cause most small businesses into bankruptcy.

The sad part is, most business owners are unaware that they are at risk for such breaches even if only using a simple swipe terminal!

To increase awareness of risks and impart the importance of Payment Card Industry Data Security Standards Compliance (PCI-DSS), I’ve interviewed a few of my personal contacts that are experts in the field.  I’ve enlisted the expertise of both Susie Maxwell, of JDS Compliance and Rose Tarrant, Risk and Compliance Officer at Signature Card Services.

Robert:  Are dial up terminals at mom and pop shops any risk for a breach?

Susie:  The biggest risk a merchant using a dial up terminal faces is on-site, and most often involves employee theft.  Examples of this include such things as an employee using a cell phone to take pictures of credit and debit cards, or simply writing down payment card data, then either selling the data, or using it to make fraudulent purchases themselves.  There have also been instances of skimmers being placed on the card reader of the terminal, which will then collect the card data for every card swiped.

Robert:  Why do you feel it’s so important for small businesses to become PCI compliant?

Rose:  It is extremely important for small businesses to become PCI compliant for a variety of reasons especially since fraudsters particularly pray on these types of businesses. Fraudsters hope that small businesses are not PCI Compliant or well-versed on recent card brand initiatives.  Additionally, smaller businesses tend to have a larger financial impact if a data breach occurs which is approximately $50k-$100k depending on compromised data. As you can imagine, this can damage a small business or worse put them out of business.

Robert:  If they are PCI compliant certified and there’s still a breach, what could happen?

Susie:   Merchants are typically held liable for replacement card-issuing costs, fines, and can also be held liable for losses attributed to fraudulent activity on the cards compromised in the breach and fines.  It has been reported that the fines can actually represent the most substantial financial cost to a merchant in the event of a breach.  Merchants who are PCI compliant prior to a breach are generally not fined, since they have demonstrated that they have done everything possible to
safeguard cardholder data.

Robert:  What is the real risk of not becoming PCI Compliant?

Rose:  The real risk is compromising your cardholders data and opening yourself up to a potential breach which results in huge card brand fines. Also,  you may lose an opportunity to demonstrate to your customers that data protection is the utmost importance to you, your business and most importantly to your customers especially in this day and age. A real life example is the recent Target breach.

Susie:  It is important to note that in addition to the obvious financial ramifications to a merchant in the event of a breach, the ramifications of losing consumer confidence are impossible to calculate, but can be expected to be huge, particularly in cases like the Target breach.

Robert:  How hard is it for a merchant with a dial up terminal to get certified?

Rose:  It is literally easy as 1-2-3. The standard SAQ’s questions for a dial up terminal are 15-20 questions.

Robert:  What does Signature do to help with the process?

Rose:  Signature Card Services supports all merchants with a committed Compliance department that manages this process with our preferred vendor, Control Scan. Signature Card Services and Control Scan are accessible to walk a merchant through an SAQ and SCAN processes which at times can be challenging.

Hearing from these experts in the industry that work hard to protect small businesses every day, really hits home that ALL businesses face threats to their customer’s card data.  However inconvenient it may be, PCI Compliance is critical to the health of a business.  As always, it’s important to have a bankcard representative that understands that aspect of your business and has an experienced team to assist in PCI-DSS certification and breach prevention!

Robert McBeath is a Certified Payment Professional and President of Cornerstone Business Solutions.  Robert has extensive experience offering merchant services and cash advances to business owners. Visit or call him at 888.979.4731.



Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.


  1. PCI compliance can be an incredibly time-consuming and taxing challenge for small businesses, no question about it. What’s important to note is that both merchants and service providers think PCI DSS compliance is all about the technical aspects – and much of it is – but they often lose sight of the fact the policies and procedures are sometime an even bigger mandate – and task – to undertake. One of the biggest challenges is getting clients to implement two (2) notable initiatives: (1). Undertaking an annual risk assessment and (2) implementing comprehensive security awareness training for all employees. There’s a wealth of free and cost-effective solutions online for both of these mandates, so it’s time that companies got serious about implementing such measures.

%d bloggers like this: