How You Can Help Protect Your SMB Retail Customers From Cyberattack
By Cheryl Knight, contributing writer
With the increasing amount of credit card breaches and the hacking of user information at businesses around the world, cybercriminals are becoming more sophisticated in their attacks. High-profile attached on large corporations seem to happen regularly. But attacks on SMBs happen just as often.
Typically, the criminals gain access to an individual or company computer via malware. Often, computer users remain unaware that machine or device has even been hacked, and they don’t find out until it’s too late — after the loss of sensitive data or after files are encrypted and other machines in the office are infected.
Cybercriminals use a variety of ways to delivery malware. Botnets are formed by infecting one computer, then cybercriminals can use it to spam other users, steal company data, or even stage attacks on other sites. And as more and more computers become infected, the botnet grows, making the problem worse. Social engineering also is a method among cybercriminals — manipulating users into giving up their passwords, installing a file that gives them access to a computer, or giving up critical information, such as credit card information. Another tactic is using vulnerability exploits to take advantage of security holes in a computer’s software. Often, this is used on machines that utilize old, unpatched software — which creates opportunities for exploitation by cybercriminals.
Business Solutions asked several payment processing vendors to identify, based on their experience, common payment-security weak spots among retailers.
Shelley Plomske, vice president of product, Total Merchant Services, says retailers should “limit access to Wi-Fi networks, password-protect point of sale equipment, and try to limit credit card data moving through the system by using encryption and tokenization technology.” She stresses, “Even small retailers need to be diligent about security.”
Steve Rizzuto, president, commercial services division, Transfirst, stresses awareness among your customers and their employees is crucial. “Each time a major breach is reported the awareness level peaks and then subsides.” He adds the VAR who can help educate their customers on payment security topics strengthens their customer relationships by further expanding their trusted advisor role.
Jon Brandon, vice president of channel sales at Harbortouch, believes another weak spot is lack of PCI (Payment Card Industry) compliance. “Many merchants assume that if their payment processor or terminal is compliant, than they are automatically compliant as well. However, that is not the case. There are many steps that a merchant must take on their own to ensure their ongoing compliance with the PCI standards,” says Brandon. He lists some of these best practices:
- Never store full credit card numbers in plain text
- Complete a PCI Self-Assessment Questionnaire on a regular basis
- Utilize SSL security protocol websites for any e-commerce transactions
- Do not log the PIN numbers entered by customers for debit transactions
- Always maintain secure procedures for loading encryption keys onto payment terminals
Brad Cyprus, Retail Solutions Providers Association PCI/Data Security Committee Chair says, “No one solution is capable of preventing all malware, but there are numerous safe computing practices which should be in place whenever credit cards are accepted in a POS environment.” He says four keys to protecting your customers from cyberattack are:
- Installing anti-malware software
- Reducing connection points to the Internet to only those that are necessary
- Updating the company’s firewall policies to limit data
- Considering placing limitations on software that can be uploaded to a company computer