Small Merchant Data Security: Helping Them Help Themselves

Thursday, May 17, 2012

Stacey Holleran


Data Security and the Small Merchant: Helping Them to Help Themselves

Small business owners have a variety of operational issues to consider as they work to make a living doing what they love.

Some of these considerations include investment capital, inventory/production logistics and business marketing.

When a business owner chooses to accept credit cards as a form of payment for their goods and/or services, another layer of operational complexity is added.

Many small merchants—whether selling online or brick-and-mortar, or both—don’t have the technological background to understand the steps necessary for protecting the cardholder information and other sensitive data that passes through (and may be stored in) their business systems.

What’s more, the annual ControlScan Level 4 Merchant Study has consistently found that not only are small merchants unaware of their vulnerability to attack, they are complacent about the impact a data breach can have on their business.

Even the smallest data breach can have a business-ending result for the average merchant:

  • Costly finesIn 2011, more than 95% of the merchants experiencing a data breach had not complied with the Payment Card Industry Data Security Standard (PCI DSS); when not compliant, the breached merchant is often subject to fines from its payment card brand and/or acquiring bank.
  • Recovery-Related Costs– Merchants’ direct costs associated with recovering from a security breach average $194 per stolen record. Given that the typical breach involves tens of thousands of records, the results can be catastrophic to the business.
  • Brand/Reputation Damage– If the fines and costs related to the breach aren’t enough to topple the business, the loss of consumer trust could be the catalyst. Currently only public companies are required by law to report breaches; however, this requirement may expand to private businesses in the near future.

According to Verizon’s 2012 Data Breach Investigations Report, which examined 855 incidents affecting 174 million compromised records, “96% of attacks were not highly difficult” and “97% of breaches were avoidable through simple or intermediate controls.”

These findings indicate that small merchants’ systems are actually the most vulnerable to attack because, according to Verizon, “target selection is based more on opportunity than on choice.”

The Service-Based Approach

No merchant wants to be compromised by a hacker, yet lack of proper concern and awareness can prevent proactive approaches from being taken. For the small merchant, then, data security is a matter of ongoing education as well as thoughtful dialogue that helps them help themselves.

Security companies that expressly take this approach with small merchants will help them find ways to cost-effectively lock down their business systems according to their operational model and constraints.

Small merchant data security cannot be approached as a one-size-fits-all solution; however, there are data security best practices that small merchants with limited resources can and should undertake. In order to get started, though, the merchant must recognize the fundamental relationship between data security and the sustainability of their business.

Once the merchant makes security a priority, any operational shortfalls can be identified and successfully addressed with the appropriate level of outside assistance.

Stacey Holleran is a Sr. Public Relations Manager for ControlScan, a provider of Payment Card Industry (PCI) Compliance and Security services headquartered in Atlanta, Georgia.

Possibly Related Articles:
PCI DSS General
Information Security
breaches PCI DSS Compliance Budgets Small Business Data Loss Prevention hackers Information Security Merchants
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked