As it turns out, credit card security is not something the tech industry has completely figured out. We have all heard about the stolen data and credit card numbers at Target, Neiman Marcus, and most recently Home Depot. Credit card breaches affected over 70 million customers.
What is less well known is how this breach actually happened. The answer: spyware caused the data breaches. In fact, the same malware caused both the Target and Home Depot breaches.
Most people think of viruses and malware these days as just causing popups and slowing down computers. But they can do anything. In this case, malware programs such as Backoff, BlackPOS, and Kaptoxa are designed to steal credit card data. Computers infected with this malware read the credit cards as they’re being swiped and send the customer’s info to the malware owners. These people then sell it on the black market. This leads directly to huge amounts of credit card fraud.
[box] Malware is responsible for data and credit card breaches. Small businesses are just as susceptible to this problem as large businesses. If your business swipes credit cards, take steps to protect your customers and your reputation.[/box]
Small businesses are also susceptible to credit card fraud
Don’t think that hackers are specifically targeting the Targets of the world because they get a bigger payoff. It costs them nothing to infect small businesses, so they do. In fact, the Secret Service is reporting that more than 1,000 American businesses were infected by the same malware that got Target, and that report was released a month ago. Given the typical growth patterns for viruses, I’m sure you can imagine what that number is today.
So if you accept credit cards from your customers, consider yourself a target and take steps to protect yourself.
5 steps you can take to help secure your company from similar data breaches
Protect Against Malware
These days, there are so many ways to infect a computer. You need a multi-layered approach to malware protection. First, start with endpoint protection. This should include antivirus and anti-spyware software on all computers. Second, protect your entire network by using a content filter that scans all traffic in and out of the network for malware.
Isolate Financial Computers –
Ideally, Point of Sale computers will never need to get onto the general internet. They will need to contact your credit card company, your PoS software company, and that’s it. If this is the case, you can create special firewall rules that block all traffic from PoS computers that isn’t going to one of those two destinations. That way, even if your PoS computers do get infected, they can’t phone home with the stolen credit card data.
Network Security Best Practices
No matter what business you are in, your company should be following general network security best practices. Your IT support provider should be doing regular checks to ensure all of your computers, remote computers, networking equipment, and public-facing services are configured optimally for security. (And they should be doing this as part of their service, even if you aren’t asking for it.)
Upgrade PoS devices
Magnetic strips on credit cards have inherent security flaws. Anyone can read a magnetic strip, save that data, and sell it on the black market. And anyone who buys that data can create fake credit cards. Credit card fraud is widespread, but the credit card industry is moving quickly to put smart chips in all credit cards. These chips have their own security flaws, but one of the big advantages is that they are very difficult to duplicate. So even if thieves steal the data from the cards, it won’t do the thieves any good because they can’t use it. As of October 2015, the credit card industry has mandated that all businesses must upgrade their PoS machines and card swipes. Do this sooner than later to protect your customers. As an added incentive, if you haven’t upgraded and someone’s card data is stolen from you, they will place all of the liability on you for not upgrading.
Get a PCI-DSS Audit
Hire a company to come in and perform an audit to make sure you are PCI compliant. (PCI-DSS stands for Payment Card Industry Data Security Standard.) They will go through your setup and make sure you are compliant with a minimum set of security standards and that you are handling customer’s data securely. But this is a minimum standard; both Target and Home Depot were PCI compliant. Think of this audit as table stakes to play the credit card game, not as a panacea to fix all security problems.
Credit card security is an issue your company must address. For help securing your network to minimize any risk of you being the next Target, please give us a call. We would be happy to discuss how Strive Technology Consulting can help you avoid credit card breaches within your company.