
Are You at Risk for a Customer Data Breach?
They range from a Georgia pizzeria that lost 2,000 customer records to an Ohio dry cleaner that lost just 100. They are small businesses that suffered data breaches during 2010, according to the Identity Theft Resource Center.
The 662 data breaches reported by all businesses in 2010 do not reflect the real impact on small firms, according to Rob McMillon, director of solution development for RSA, a Bedford, Massachusetts, security vendor.
“All too often, either [small businesses] don’t know that they’ve been breached or they handle it in-house and sweep it under the rug,” says McMillon. “And it’s never reported because they don’t want to face the negative repercussions.” Consequences can include the cost of notifying customers, as is now required in all states, as well as fees, fines, and other penalties, such as higher per-transaction costs charged by credit card companies.
A survey of small retailers by the National Retail Federation and First Data Corporation, a payment-processing firm, shows more than 60 percent of smaller merchants do not know credit card companies can fine them for each card canceled due to a data breach. A study by the Ponemon Institute, a privacy research firm, pegged average cost to companies at $204 per customer record breached.
“The typical actual out-of-pocket financial cost to a small business that gets breached is a five-figure sum,” McMillon says. “Those are mom-and-pop merchants, and that can be enough to drive them out of business.”
While state laws require that businesses report data breaches, rules for how businesses should protect data and decrease their security risk primarily come from industry. The PCI Security Standards Council, founded by American Express, Discover, MasterCard, and Visa, sets benchmarks. One that applies to smaller companies is a requirement for an annual self-assessment of security policies and procedures. Only about half the small retailers in the NRF/First Data survey said they had completed the required self-assessment.
Merchants can download copies of the self-assessment from the PCI website. It helps guide companies of any size in procedures that promote better security. For instance, one requirement says merchants should not store a customer’s personal identification number or card verification code after a transaction is complete. Other benchmarks that can reduce your company’s risk of a customer data breach include the following:
- Protecting stored cardholder data by, for instance, showing no more than the first six or last four digits of a card number when it is displayed
- Providing secure authentication features, including requiring unique user IDs for administrative access to cardholder data
- Logging uses of payment software and being able to link activities to individual users
- Developing payment software in a safe manner by, for instance, not using actual customer data for testing
- Protecting wireless data transmission with encryption, passwords, and other means
- Testing payment software for security weaknesses
- Protecting networks with antivirus software and firewalls
- Never storing cardholder data on a computer connected to the Internet
- Requiring two kinds of identification, such as a password and a smart card, for remote access
- Encrypting sensitive data sent over public networks
To allow business owners to concentrate on other affairs, some elements of data security can be outsourced. First Data offers Transarmor, for instance, which helps encrypt data and replaces sensitive PINs with safer security means. First Data also helps Transarmor customers fill out self-assessments of their data security.
While no product or procedure can guarantee a small business won’t experience a customer data breach, following best practices can reduce the risk. “Obviously it’s important,” says McMillon. “Bad guys attack small merchants as much as big merchants.”