As almost everyone has heard, a number of large retailers suffered massive data breaches over the Christmas season. While all of the details around these attacks have not been made public, we can all learn from what is happening.
Over the years, we in the retail industry have gotten very good at building walls around our critical data while it is “at rest” (stored on a computer hard drive in a file like Microsoft Word or Excel). But some of the news stories about the latest data breaches have indicated the bad guys got the data while the information was “in motion” (moving through the retailer’s system during a legitimate transaction).
This illustrates the next big target for computer hackers.
They are getting even more sophisticated in their attacks and have figured out that they can’t just break through the door and grab a file of card numbers. Now they are getting into retailers’ systems and hiding while normal business is conducted.
In these cases, each time a hacked retailer processes a legitimate transaction from a customer, the hackers can copy the information down and transmit it offsite to be used on counterfeit cards.
Large and Small
This trend is not limited to retailers who use large, multi-store POS systems. Even small merchantswith stand-alone credit card terminals are being hacked.
Regardless of the method you, as a merchant, use to process your transactions, you should follow some basic rules to provide the greatest protection:
- Secure the hardware. Is your terminal attached to the counter or the wall? How is it attached? How easy is it to remove? Would you even realize if it were removed or swapped out?
- Secure the area around the device. Who has access to the device? How do you control that access?
- Lock the software. Are your computer or credit card terminal password protected? Are the passwords protected from unauthorized use? Does your terminal “lock” the software to prevent someone from loading malware? Remember, any device that has software to operate it can also have malicious code written for it.
- When did you last upgrade your terminal? If it has been more than three years, you may want to consider an upgrade. The landscape for payment processing is changing at a rapid pace; the newer terminals will protect your business.
Data Breach Plan
One of the other things I have noticed during these recent data breaches is that most of the retailers in the public spotlight have handled the public relations very well. It’s probably because they had a plan already developed for this scenario.
What is your plan?
Many business owners have thought about disaster planning and developed detailed plans in case of a fire in their building or a weather event, but what about a data breach?
In the end, seeing a retail owner or manager on the news discussing a data breach should cause you to pause and review your own situation. In many cases, it is not a case of “if it happens to you” but a case of “when it happens to you.”
So be prepared.
(Note: Michigan Retailers Association provides $100,000 in data breach protection, automatically, to all businesses that process through MRA. It’s another valuable benefit of partnering with MRA.)
John Mayleben CPP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He was the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.