High-tech hackers capable of breaking into sophisticated networks may be what many small-business owners envision when hearing about data-security risks. In their minds, such breaches are more likely to plague a corporate retail giant than a small, family-run shop.
But in many cases, attacks can be as low-tech as a dishonest cashier jotting down a few credit card numbers and stuffing them in his pocket. And with the myriad ways companies face being affected by fraud, achieving 100% compliance with Payment Card Industry data-security standards among the more than 5 million small U.S. merchants can be daunting for ISOs and acquirers.
Small businesses often do not realize they are just as much at risk as large retailers are, if not more, because of gaps in merchant-security education. Indeed, a merchant’s relationship with its employees may be a bigger factor in securing data than the one between the merchant and its ISO, experts say.
One of the most common issues small merchants face is how to safeguard themselves from being hit by a breach, says Larry Cohn, president of Service First Financial Inc., a merchant services company based in Menlo Park, Calif. Cohn ran small businesses before co-founding U.S. Merchant Systems. He is now chairman of the Fremont, Calif.-based ISO.
Often criminals are individuals known to the small business’ owners, Cohn says. “A lot of time the crime comes from within,” he says. “I’ve seen merchants get shut down because of an employee because they were a center for fraud. Really, it was one employee who destroyed their business.”
Small merchants generally believe that by processing fewer and smaller transactions, they are less attractive to fraudsters and, as a result, less of a target for attackers. Yet 96% of merchants targeted by hackers in 2010 were classified as Level 4, according to the December Visa Inc. report “Franchise Data Compromise Trends and Cardholder Security Best Practices.”
Merchant-Employee Relationship
Often, small-business owners do not want to believe that their own employees could be up to no good. “None of the customers admit that they have a problem with their employees, or that their employees steal,” says Fadi Cheikha, CEO of Electronic Cash Systems Inc., an ISO based in Rancho Santa Margarita, Calif.
Cheikha believes that about 60% of credit card fraud globally involves merchants’ businesses. Of that fraud, half results from the employees who work for those businesses.
Generally, the type of employees who are going to rip off their employer by pocketing merchandise and sneaking free meals also are likely to be the ones who will steal cardholder information, Cohn says.
One of the most prevalent forms of fraud today is skimming. The technique most commonly occurs in restaurants when workers use a pocketsize device to swipe a customer’s credit card to obtain their account information off of the magnetic stripe. Some workers also might photocopy customer payment slips to secure such information, though most today do not contain sufficient data needed to create counterfeit cards.
Other low-level fraudsters may resort to simply writing down card numbers or invite their friends to come by and join in obtaining the information. That is why ISOs are taking extra measures to educate merchants on how these low-tech tactics are still the predominant methods used to commit fraud.
“Whatever an employer can do to reduce the scope of who has access to credit card details, the better off they are,” says Robert Bertke, senior vice president of product management for Sage Payment Solutions, a processor based in McLean, Va.
That is not to say that all employees are devious. “Most employees are honest,” Cohn says. “It’s just the one or two bad guys who make them look bad. One employee with a friend can screw up their business.”
Look for expanded version of this article in the March ISO&Agent magazine, arriving shortly.
