March 20, 2019 •
Counterfeit payment cards, stolen payment cards, use of an assumed identity to complete a credit card application… these are easily-recognizable examples of payment card fraud. When a fraud incident occurs in the retail setting, it’s often contained with only small losses occurring to the merchant involved.
But what happens when a payment card data breach occurs at that same business? Are its causes and consequences basically the same?
I ask because ControlScan and MAC just released our 2019 SMB Payment Security research report, and a key finding was that small and mid-sized businesses (SMBs) do not understand the important differences between data breach and payment card fraud.
A data breach typically involves the extraction of secure, private or personally identifiable information from a business’s possession. For the purposes of this post, I’m only going to be talking about payment card data breaches, but any customer or employee related information—even a contact name, address and phone number—puts the individual at risk and is of use to cybercriminals. Other types of data that are targeted are usernames, passwords, email addresses, social security numbers—basically anything about anyone.
Our survey results show that many SMBs do not understand the complexity involved in protecting their customers’ credit card data. One issue we uncovered is that many SMBs still believe not storing credit card data is all they have to do to avoid a payment card data breach. “I do not store card data” is a phrase used repeatedly, but the reality is that many breaches occur while data is in transit from point A to point B.
Of the more than 6,500 respondents to our survey, 28% said they feel their business should not be subject to the PCI DSS, which is in place for the sole purpose of payment card data security. When asked why not the PCI DSS, some common answers were “we only accept cards in person” and “we know our customers.” While these are helpful for fraud prevention, they are in no way applicable to data breach prevention.
While fraud usually impacts a specific payment transaction and stops there, breach risk is broader, more devastating, and affects every one of the business’s customers. In the case of a breach, all customers must be informed of the incident and this can negatively impact overall perception of the business, causing long-term harm. Plus, a breach has more significant monetary implications. In addition to lost business and a damaged reputation, the merchant can be subject to fines and lawsuits.
Another recent study referenced in our report, the RSA Data Privacy & Security Survey 2019, explored how consumers feel about businesses where their personal data has been compromised. The RSA survey found that 57% would blame the breached business itself for the incident. These types of findings should worry even the smallest of businesses, yet this concern was low in our overall respondent base, and even lower when looking at respondents who don’t think PCI compliance applies to them.
SMBs must protect their business by paying attention to data security, but our payment security survey results show more awareness-building and education is needed. Merchant service providers (MSPs) and others in the payments industry should equip their merchant-facing staff with the necessary knowledge and talking points to help SMBs understand payment security and their role in the process.
The 2019 SMB Payment Security research report contains important data points and valuable research that payments industry stakeholders can use when working with SMBs. Download your complimentary copy here.