Small Merchants at Increased Risk of Data Theft
The largest scale hacker attacks on customer data make big headlines, but they account for a small percentage of such breaches. The great majority of these attacks actually target small retailers. In fact, 80% of attacks by hackers on retailers prey on the estimated 5 million small to mid-sized retailers in the U.S., leaving only a small percentage on the less than 2,000 merchants who process between one and six million credit or debit transactions per year.
That’s according to the PCI Security Standards Council, a global forum made up of the largest credit card companies that oversees data security compliance. However, the majority of this group’s scrutiny still falls on a small number of very large retailers, which has allowed the exponentially larger group of small merchants to slip under the compliance radar.
Though less visible in the public eye than their big box counterparts, the risks of security breaches are just as devastating to small retailers. Reimbursements for cardholder losses, costs associated with notifying affected customers, and stiff penalties imposed by credit brands that can add up to $500,000 can be massively destructive to a small merchant’s bottom line. Most of these retailers are aware of this risk, but remain susceptible to attacks because they lack the time, capital, or technical acumen to implement secure systems.
Customers whose personal information is compromised are unwilling to accept these as valid excuses for not protecting their privacy, so smart retailers of all sizes should take data security seriously. Luckily, advances in securing customer data are making it easier to implement and within reach of retailers of any size. Tokenization and point-to-point encryption (P2PE) are two methods of improving POS security that are available to these retailers.
Tokenization works by transforming cardholder information into a random string of characters called a token during a transaction. This information is never stored on the merchant level POS system and therefore can not be stolen by an attack against the retailer’s database. P2PE adds an additional level of security by securing card data at the point of entry at the device level, keeping it from ever appearing in the system’s memory. This keeps the information outside the reach of stealth spyware that may be running on the POS system itself. Both tokenization and P2PE comply with PCI-DSS requirements.
Retailers are ultimately responsible for securing customer data, but the POS provider is a vital partner in this pursuit and can implement tokenization and P2PE technology. Working with POS vendors that demonstrate an allegiance and responsibility to its merchants over a particular bank or processing company ensures the most technically and cost effective solution is implemented. Further, POS vendors that deal exclusively with PCI-compliant credit processing companies add an extra layer of security.
Keeping hackers at bay requires remaining on the forefront of innovation as well as taking proactive steps to secure networks, websites, ports and passwords. The partnership between POS provider and merchant is a key element of keeping security one step ahead of hackers.