Cyber Pirates – Protecting Credit And Debit Card Information
In the franchise industry, protecting the brand and mark of its company is paramount to a successful franchise system.
Why are you in business? The answer is simple: to sell your goods and services to make money. That then begs the question, if your primary job is to sell goods and services, why do you care about credit and debit card security and compliance? After all, is it really a necessary business expense?
The Hammer to Motivate Compliance
There are two principal reasons why a business should concern itself with and incur the expenses related to payment card security and compliance. First, a business may incur fines for its failure to comply with the Payment Card Industry Data Security Standard or “PCI DSS” requirements. These requirements are designed to protect businesses and their customers against payment card theft and fraud. PCI DSS was created by five founding global payment brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. These are not a federally mandated set of rules; however, if a business accepts Visa, MasterCard, American Express and Discover credit and debit cards, then it must comply with the PCI rules.
Breaches in credit card security platforms result in sanctions being imposed by the respective credit card companies under the terms of their service agreements. Fines can be substantial. A business may also incur the cost of forensic audits performed to ascertain the cause of a security breach. Moreover, once a violation is discovered, credit card companies may turn the matter over to the Secret Service, which will shut down all credit card processing for the business until it is determined that the payment card system is secure and in compliance with PCI DSS. How many customers will a business lose if it cannot accept credit and debit cards?
Another reason to be concerned with breaches in security is to protect reputation, trust and brand loyalty. According to a study conducted by Ponemon Institute, LLC, in 2011, 81 percent of the respondents said a security breach of confidential consumer information would “affect the economic value of their organization’s reputation and brand image.” It was projected that it would take an average of almost one year to restore customer confidence. If that is not enough data, 43 percent of consumers who have been victimized by fraud avoid certain merchants where they believe their data could be compromised again. In the franchise industry, protecting the brand and mark of its company is paramount to a successful franchise system.
More than 20 billion credit card purchase transactions are made per year in the United States.
Why is the Franchise Industry Such a Target?
More than 20 billion credit card purchase transactions are made per year in the United States. This sheer volume of transactions provides a large window of opportunity for thieves to capture data, which then can be fraudulently turned into profit. Cyber felons also are finding it easier to target smaller merchants than larger institutions, because larger institutions have better security in place and more resources to protect their data.
The franchise industry is a prime target for cyber criminals. Franchisors strive for uniformity throughout their system. A system may be comprised of several small franchisees geographically dispersed that are targets for organized web-based attacks. Once a thief determines how to gain access to the payment card data of one franchisee, they have a roadmap to attack other franchisees across the system.
What Can I Do to Protect the Business?
What can be done to protect the franchisees and the franchise system? First, all businesses should have a “managed” firewall. A firewall is a defense system that blocks unauthorized access to a computer system or network. After all, if cyber criminals cannot gain access, they cannot retrieve payment card data. Because technology is always changing, having a third party manage the firewall helps to ensure that the firewall stays up to date, thereby protecting the business from constantly changing Internet threats.
The key to success is protecting payment card data as soon as it comes into the possession of the merchant. No solution is perfect. However, several options exist to minimize the exposure and help reduce the PCI DSS compliance burden.
A business first acquires credit and debit card information at the point of a sale. The card data is acquired and then transmitted to obtain payment authorization. The point-of-sale system can contain safeguards. This can be accomplished through end-to-end data encryption, which protects sensitive data from the point of capture through to the handoff of data to the payment processor. Protecting data in motion has helped foil many of the high-profile attacks of recent years. Data encryption is a proven technology that can be deployed and used effectively by merchants of any size.
Another protective measure is tokenization—a process whereby sensitive payment card data is replaced by randomly selected strings of characters that can be linked back to the original data only by an authorized party. By storing and using tokenized data, instead of real cardholder data or using back-end applications, merchants remove sensitive data from their environments, thereby reducing the risks associated with a data breach, as well as the scope of their PCI audits.
Data encryption is a proven technology that can be deployed and used effectively by merchants of any size.
The Future of Credit and Debit Card Security
With the ever-changing world of technology, the future of card security may be “EMV.” EMV stands for Europay, MasterCard and Visa, a new global standard for microchips embedded in credit and debit cards. It is claimed that EMV chip cards improve security against fraud, as compared to traditional magnetic strip cards, by providing a better method at the point of sale to authenticate the transaction.
EMV implementation is approaching. In many countries, payment card networks are shifting the liability to merchants for fraudulent transactions; if the merchant’s point-of-sale system does not support the use of EMV, then the merchant is responsible for the fraudulent transaction. Visa, MasterCard, Discover Card and American Express announced last year that they will begin shifting liability to merchants in the United States beginning in 2015. This shifting of liability has already begun in Canada.
Back to the Basics for Safety
With all of this technology available to help prevent payment card attacks, businesses still should not forget the little things. Instead, businesses should regularly change the administrative passwords on their point-of-sale systems. Hackers are always searching the web for easily guessable passwords. Also, businesses should verify that their point-of-sale systems use a PCI DSS-compliant application by checking with their vendors.
Franchisees and franchisors are faced with an ever-changing level of security threats. Franchisees and franchisors must always remember that as long as they are accepting payments in the form of debit and credit cards, they are accepting responsibility for security breaches.
Businesses should not wait for the fines and Secret Service agents to show up at their doorsteps. They should seek an approved vendor to assist in the process. This is an ongoing process, not a one-time fix. While it sounds complicated, this is why we all hire qualified professionals to demystify what we do not otherwise understand.
In the end, what is more important than protecting our brand and retaining our customers? ⎯
Gary M. Remer is a shareholder at Southfield, Mich.-based law firm Maddin, Hauser, Wartell, Roth & Heller, P.C. Remer specializes in franchise, taxation, employee benefits and corporate and business law. He can be reached at 248-827-1863 or email@example.com.