If TJ Maxx, Advanced Auto Parts, Dave & Buster’s and Okema Mountain Resorts can experience serious POS credit card data security breaches, you just know that small business operations without an IT staff or a great deal of computer savvy are vulnerable. In fact, that’s the common link between a restaurant/microbrewery in California and a family-owned restaurant in Ohio. Both had credit card customer information exposed, stolen and misused.

These are not isolated cases. Merchants large and small have been victimized, and, in turn, have unintentionally victimized their own customers. And yet, all could have taken steps to protect their customers’ data – and their reputations – with the latest in encrypted swipe technology and other common-sense safeguards to bolster end-to-end security. They would have removed the threat of customer losses and potentially hefty fines for safety non-compliance.

The Scope of the Problem

Credit card compromise occurs when an unauthorized party takes advantage of a flaw in a system that processes, transmits or stores cardholder data. Level 4 merchants – those with the fewest annual credit card transactions – are at the greatest risk of compromise. And more than half of fraud cases involve merchants in the food service industry.

Think of POS data security as a chain link fence. There are multiple areas of vulnerability – an interloper might go over the top, or look for a weak spot, or crawl underneath. A data security compromise is much the same. The crime can occur at any point in the transaction process – from point of service to back-end processor – but 71 percent of the time it takes place at the hardware POS terminal. Right there on the counter of the store or restaurant.

From packet sniffing software to malware on store servers, to crooked employees, there are a whole range of threats to merchant transaction security. The smaller merchant is at enhanced risk because of factors ranging from improper installation or the use of older software to a lack of computer security sophistication. Whatever the cause, the mom-and-pops can be subject to outrageous fines passed down from the card company to processor to retailer.

As an example, the card processor passed its $27,000 fine for the breach at the California restaurant/microbrewery to the merchant – a dollar sum that equaled five days’ sale of food and beer. (Wall Street Journal, 9/22/07 “In Data Leaks, Culprits Often Are Mom, Pop”).

Often, the problem is system installation that disregards Payment Application Data Security Standard (PA-DSS) protocol. The improperly installed software package might be storing track data – a security no-no – that’s later illegally accessed. For instance, the California restaurant/microbrewery was discovered to have inadvertently stored account data on nearly 12,000 customers. That’s not as shocking as it sounds. A recent survey by VISA and the National Federation of Independent Business found that 52 percent of businesses with fewer than 250 employees were storing such sensitive data as credit card customer names, account numbers, expiration dates and security codes.

The Case for Encrypted Swipe

While full Payment Card Industry Data Security Standard compliance is an excellent start, it’s not enough. A lock on the gate does little good if a section of chain link is knocked down a few feet away. The PCI mandates that credit card data must be encrypted when stored or being transmitted, but the information can still sit unencrypted within the merchant’s private network, at the card reader, while awaiting authorization.

With encrypted swipe, the data on the card’s magnetic strip is never available to prying eyes. The user is offered end-to-end protection, from point of swipe to point of acceptance. MagTek, a leading provider of encryption technology, has partnered with Payment Processing, Inc., to offer data encryption in a POS terminal bundle. The result of such seeming redundancy is a system so protected, the cyber-criminal will be more prone to look for easier pickings. Why climb the chain link fence with razor wire at the top when you don’t have to?

Simple Steps to Safety

When used in conjunction with encrypted swipe technology, these steps will help your customers ensure the safest possible POS environment:

• Make sure the POS system is PA-DSS compliant. The Payment Application Data Security Standard is endorsed by the five major payment card brands to ensure that payment applications don’t store sensitive card data and don’t have flaws that draw hacker attacks. Learn more about compliancy at www.pcisecuritystandards.org.
• Make sure the software is installed in a PA-DSS compliant environment
• Select a trusted payment processing partner. The company providing the retailer’s merchant account should be listed as PCI compliant.
• Consider taking the extra precautionary step of signing up with a Qualified Scanning Vendor (QSV). These security experts will analyze your POS system, subjecting it to every feasible attack vector. If the application can be breached, the QSV will breach it. Based on the findings, the QSV will help bring the application compliant with Payment Card Industry Data Security Standards.

Build Your Fence

No system is foolproof, and the most difficult challenges often become the targets of the most determined hackers. But if you can easily and inexpensively install a POS solution that acts as a very high chain link fence – and is installed in collaboration with other security features to protect customer credit cards– only one question remains.

Why wouldn’t you?