Whether businesses are prepared or not, data breaches happen. There were 1,080 breaches involving a total of 1.7 billion records exposed between January to October 2017. Regardless of size or transaction volume, any business that processes payments at a point of sale or online is at risk of a data breach. In fact, according to the Ponemon Institute and the PCI Security Standards Council, the odds of being breached are 1:4, and more than 80 percent of the attacks target small businesses.
Small businesses are enticing to hackers because they usually have a smaller budget than their larger enterprise counterparts with less to spend on network security and IT expertise. They often have multipurpose computers on a single network, meaning that every desktop can access all the same information regardless of job duties, which can leave their network vulnerable.
Don’t Just Stop at PCI DSS Validation
Obtaining Payment Card Industry Data Security Standard (PCI DSS) compliance is the essential first step to protecting a business – it is a series of technical and operational security requirements for businesses that process, store and transmit payment card data. But too many businesses stop after putting their PCI DDS compliance foundation in place, not realizing that PCI DSS compliance is only the minimum security standard expected for protecting card payment data. Simply being compliant won’t always stop a breach since rapidly evolving technology makes it difficult to stay a step ahead of criminals, and PCI processes are often only as strong as the people assuring their implementation and upkeep.
Case In Point – An Unexpected Way In
Our Security team recently assisted a medium size retailer in the Southeast that had previously validated PCI DSS compliance with a breach that generated $545,000 in card brand assessments, and more than $40,000 in PCI Forensic Investigation. While the customer did have PCI DSS compliance processes and operations in place, one seemingly harmless practice was overlooked that allowed malware to be installed on the company’s payment system. The culprit? An insecure remote access connection with a maintenance vendor. The company engaged our expertise following this incident and now has the right solutions in place to prevent this from happening again.
Our advice to businesses: “Most often we see businesses treat PCI DSS compliance as a yearly activity considered only when validation is up for renewal. Owners get so busy with day-in-day-out running of their business that often some of those compliance elements start to slip paving the way for increased vulnerability. Maintaining compliance is very much a daily process. Any less attention on protecting cardholder data can be very costly.”
Layered Protection with Safe-TTM Security Solutions - Nothing to Find, Nothing to StealTM
Every time customers give payment information at the point of sale, they trust that business to protect their card data. When that data is compromised, often, so is the business’ relationships and reputation. According to Gemalto’s 2017 Data Breaches and Consumer Loyalty report, 70 percent of U.S. consumers would stop doing business with a company if it experienced a data breach.
The best protection is layered with encryption and tokenization, which immediately strip away sensitive card data from a payment system so hackers can’t intercept it while it travels to and from your business. This results in nothing for a criminal to find, so even if a payment system is compromised there is no useable information to steal.
EMS is a leader in the area of payments security, and offers a range of cost effective Safe-T Security Solutions that include payment card encryption and tokenization. Encryption scrambles the payment card data at the point of entry, and tokenization replaces the data with a random token ID value that allows a business to perform follow up transactions (i.e. voids and adjustments) without the sensitive data present.
As an added bonus, use of a Safe-T solution reduces the burden associated with PCI-DSS compliance by eliminating quarterly scans and significantly shrinking the number of questions a customer must answer as part of their annual Self-Assessment Questionnaire (SAQ). Our Safe-T security solutions also provide financial assistance if a Safe-T protected payment environment is ever compromised.
Business owners need to protect themselves and reduce the effort required to validate PCI DSS compliance. You can get this protection with the investment in Safe-T against the high cost of noncompliance and risk of reputation. Together, we can help make protecting cardholder data part of what we do every day for all customers.