Protecting customer credit card data was not on the priority list for P.J. Jacokes when he started his own business three years ago.
With a background in theater and comedy, Jacokes conceptualized what it would take to make customers laugh when he opened the Go Comedy! Improv Theater in Ferndale, Mich. But he did not know anything about Payment Card Industry Data Security Standard compliance, its validation process or, worse, the potential financial devastation resulting from a data-security breach.
“Just learning that (a credit card security standard) was out there was an awakening to me, particularly when being compliant not only protects you but can get you better rates on your credit card fees,” Jacokes tells PaymentsSource.
Visa Inc. labels Jacokes’ operation as a Level 4 merchant, which is a business processing fewer than 1 million Visa transactions and 20,000 transactions online annually.
That label puts him among millions of other small merchants that credit card data thieves target because they tend not to protect their point-of-sale and backroom payment systems, experts say.
Jacokes cannot change his Level 4 status without growing his company, but he can declare his club’s credit card data safer after incorporating TrustKeeper, a data-security Web portal offered by Trustwave, a Chicago-based data-security and compliance-service provider, about 18 months ago.
“I am not a credit card fraud expert, so I don’t deal with monitoring it every day. But the data-security system does that for me,” Jacokes says. “I have not had a fraud issue yet, but the system alerts me for when it is time to do another scan of the system” to ensure data are not exposed and the network has not been compromised, he says.
Most small businesses have little knowledge of data security, and they have even less understanding about the potential harm that could come if either of two common forms of credit card data are exposed, Doug Klotina, Trustwave executive vice president of payment services and channel partners, tells PaymentsSource.
TrustKeeper checks the merchant point-of-sale terminal to determine whether it is holding cardholder or track data from the magnetic stripe on the back of a credit card, Klotina says.
“If the most dangerous thing is to store cardholder data in your payment system, then the nuclear version is holding the track data,” Klotina says. “If the cardholder data are stolen, someone could use the card for online purchases. If the track data are stolen, someone could create fraudulent credit cards.”
Indeed, education about data-security standards compliance is critical because meeting standards can seem daunting to someone who owns a small business, David Aboucher, senior director of product management and development at ControlScan Inc., an Alpharetta, Ga.-based compliance-services provider, tells PaymentsSource.
“Level 4 merchants generally do not have a complex payment environment, making compliance a little easier,” says Aboucher, whose company services small and midsize merchants (
Merchants should ask themselves whether they truly need to store card data and, if so, whether they are doing so in a compliant manner and whether they should turn to industry experts for help, Steve Robb, ControlScan vice president of operations, tells PaymentsSource.
“There really is no reason for a small business to keep that data locally” when off-site vendors can store it safely, Robb contends.
Christopher Justice, CEO of Frisco, Texas-based Century Payments Inc., which provides payment-processing services to 24,000 Level 4 merchants, contends small-business owners require the same fraud protections that major corporations have.
“Most of these businesses find it insulting to be called small because there is nothing small about spending nearly every dime you have to do the biggest thing in your life in opening your own business,” Justice tells PaymentsSource. “But they generally are not technology experts and don’t understand all of the aspects of their point-of-sale systems.”
A study report Trustwave released in August suggests the majority of data-security breaches occur at Level 4 merchants (
Because the primary method of stealing credit card information is through a merchant’s payment network, a fraud-detection system can alert the merchant if data are vulnerable and whether an unauthorized person is trying to hack into its network, Klotina says.
Securing credit card data has attracted more attention the past few years because of major breaches, but many merchants have only scratched the surface regarding standards compliance and awareness, Klotina says.
Because Trustwave has 1.9 million TrustKeeper subscribers, and ControlScan’s independent sales organizations and acquirers serve 750,000 merchants, Klotina believes many more merchants could benefit from being educated about security compliance.
“There are 30 million Level 4 merchants worldwide and 5.5 million in the U.S.,” Klotina says. “We’re just at the start of something; this is not a mature market yet.”
Century Payments has not experienced a security breach among its customers, but security measures still must become part of an ongoing business model, Justice contends.
“It’s a question of when, not if, a breach will occur,” Justice adds. “As the security technology improves, the hacker technology improves. Security is a voyage without a destination because you will always be adding layers, and there is no silver bullet today.”
Small businesses should understand that an international crime network often is involved when credit card data are stolen, and it always is working to find the weakest links in a system, Julie Conroy McNelley, senior risk and fraud analyst at Boston-based Aite Consulting Group, tells PaymentsSource.
“It doesn’t matter to the criminal if it is a corporate account takeover or a Level 4 merchant, and I don’t think merchants are cognizant of the threat of cyber crime through [malicious software],” McNelley says.
Jacokes realizes he used to be in that “not cognizant” category.
“I definitely own a smaller company, and it was a shock to learn that the smaller companies get targeted more,” he says. “You kind of figure that (data thieves) wouldn’t care about a smaller company, but that was a real wake-up call.”
What do you think about this? Send us your feedback. Click
