Black Friday is a few days away, the holiday shopping season will soon be in full swing, and retail sales reports will be read like tea leaves for signs that the recession will soon be just a bad memory. But as transaction numbers climb, so do data breach risks – particularly among smaller merchants who are typically unprepared to fight data thieves.
At the Visa Security Summit earlier this year, industry experts agreed that hackers now have small and midsize businesses in their sights for a purely opportunistic reason: the smaller guys are easier targets these days. It’s much harder to crack mega-enterprises that have dug deep into their IT budgets to defend their networks against rootkits, keyloggers, packet sniffers and all the other tools of the hacking trade.
SMBs, as a rule, have done little to protect themselves. Panelists at the same summit cited various studies indicating that nearly 20% of small businesses don’t even use antivirus software; 60% fail to encrypt their wireless links; and just 60% of Level 3 merchants have complied with the Payment Card Industry’s Data Security Standard (PCI DSS). Level 4 merchants – the smaller mom-and-pop types – are believed to lag far behind on compliance numbers.
On the PCI DSS front, part of the blame lies with the misconception that becoming compliant is as painful as having a root canal. Surveys show that 86% of small retailers are aware of the standard and 88% place a priority on data security, but the prospect of jumping through PCI’s hoops stops them cold. That’s because, so far, the industry has done a relatively poor job of getting them the help they need. Merchants whose computer knowledge stops at booting up literally don’t know where to turn.
The truth is that most merchants can fill the PCI bill with little trouble if they have someone with PCI knowledge who can walk them through the Self-Assessment Questionnaire (SAQ) and help them remediate any shortcomings in their security procedures. For all of the bellyaching about supposed complexity, PCI DSS is really nothing more than a set of basic rules that should be part of any business’ security program. And for all of the complaints about added expense, PCI fees are just a cost of doing business in today’s wired world – much like installing security alarms, paying a property lease, or building and hosting websites.
Whether or not hackers think it’s worth their time and effort to purloin credit card data from smaller merchants remains to be seen, but this holiday season may be the most revealing test yet of the theory that neighborhood grocery stores, boutiques and dry cleaners are next in line. With 24 million Level 4 merchants around the world, the cumulative damage could easily exceed that of the widely publicized mega-data breaches. Happy holidays? Bah, humbug!
Posted on November 23, 2009 by Wenlock Free