With recent personal information heists receiving national attention, many local business owners are on high alert when it comes to cybercrime. As Internet crime is evolving every day, so too must the security measures used in order to keep merchants and consumers safe.
Recently, hackers infiltrated WikiLeaks, Walgreens, McDonald’s and all the Gawker blogging websites. Locally, Jason’s Deli had hundreds of credit card account numbers stolen when its computers were infected by a virus, which left many Memphians rushing to report bogus charges made all over the world to their bank accounts, in some cases just minutes after they paid for their lunch.
Some may ask how much can one find out about a person by simply knowing an e-mail address and a birthday, which is what was taken from the McDonald’s website. The answer: not too much, unless your e-mail security question happens to be directly related to your birthday, at which point a hacker could gain access to that e-mail account and all the personal information inside.
The Gawker breach, which exposed 1.3 million usernames and passwords, has potential to be catastrophic considering that many people use the same usernames and passwords for every website they visit, including bank accounts. While it’s tempting to give only the seemingly more egregious attacks urgent attention, that may not be the prudent course of action.
Vaco Memphis partners Joe Fracchia and Dr. Suzanne Miller are on the frontline of this issue. Vaco, a family of 26 limited liability companies specializing in permanent and consulting placement for companies that are looking for special project needs, conducts on-site security assessments to maintain compliance with the Payment Card Industry Data Security Standard.
PCI DSS is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC) that was founded by five global payment brands, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to mandate standard operating procedure for merchants in the handling of cardholder data.
“Every business is notified to be compliant with PCI DSS standards today, not in the future,” said Miller, who is a certified information systems auditor (CISA) and qualified security assessor (QSI) at Vaco. “Businesses need to be PCI compliant to protect against and detect breaches and to provide information that’s admissible in court. If businesses aren’t up to that standard, they are cut off from taking payment cards.”
Fines can be costly for businesses in the event of personal information breaches. It doesn’t take much to steal hundreds, even thousands, of account numbers when they are electronic files that can be stored on pocket-sized hard drives.
Businesses whose computers are hacked, and subsequently lose customer account information, can be charged for card replacement fees, fines and audits, just to name a few. Merchants found to be at fault will have to pay the price not only financially but also where customer loyalty is concerned.
“If you are breached by hackers and found to be at fault, then you are required contractually to pay fines and implement annual QSA audits for 10 years or else you can’t do business with payment card companies like Visa or MasterCard,” Fracchia said.
The financial penalties can add up in addition to the negative publicity related to the breach, Miller added.
“And, the consumer is going to charge you more than Visa,” she said.
There are hundreds of payment card processing companies, not all of which are known for their outstanding service. It can be a daunting task for small-business owners to find one that is reliable, efficient and secure.
“I get three or four calls per day from payment card processing companies wanting me to switch,” said Karen Lebovitz, owner of Otherlands Coffee Bar in Midtown. “You have to pay close attention to what they are saying. I would ask them to show me on the contract for what I’m held responsible. You could end up getting charged astronomical prices. That’s something you can’t afford when you’re selling coffee.”
According to Fracchia, “It’s all about technology and making it work. Our greatest asset is sensitive information, especially that of our customers. Breach of cardholder data is one of the greatest risks to businesses today.”