Many small businesses rely on merchant processing systems and Point-of-Sale (POS) machines to process their customers’ credit card payments.
However, a new report by Verizon, the U.S. Secret Service, and other international investigative organizations shows that POS systems utilized by small business are often unsecured and in danger of being hacked.
The 2012 Data Breach Investigations Report provides the following statistics about overall data breaches in the past year:
Who is Behind Data Breaches?
- 98% stemmed from external agents (+6% from the previous year)
- 58% of all data theft tied to activist groups
- 4% implicated internal employees (-13%)
- <1% committed by business partners
How Do Breaches Occur?
- 81% utilized some form of hacking (+31%)
- 69% incorporated malware (+20%)
- 10% involved physical attacks (-19%)
- 7% employed social tactics (-4%)
- 5% resulted from privilege misuse (-12%)
What Commonalities Exist?
- 97% of breaches were avoidable through simple or intermediate controls (+1%)
- 96% of attacks were not highly difficult
- 96% of victims subject to security protocols implemented by the four major credit card companies had not achieved compliance (+7%)
- 94% of all compromised data involved servers (+18%)
- 92% of incidents were discovered by a third party (+6%)
- 85% of breaches took weeks or more to discover (+6%)
- 79% of victims were targets of opportunity (-4%)
Small Businesses Frequently Targeted
According to the data, food and beverage, retail, and hospitality services combined to account for the vast majority of reported attacks.
- Accommodation and Food Services: 54%
- Retail Trade: 20%
- Finance and Insurance: 10%
- Health Care and Social Assistance: 7%
- Information: 3%
- Other: 6%
Small businesses were targeted mainly because they often neglect to take simple preventative measures for data security, such as changing their default POS passwords, which would prevent hackers from successfully using programs that automatically try lists of common passwords.
Point-of-Sale Security Tips
For small businesses that use POS machines, Verizon has provided tips for avoiding security breaches and data theft.
Taken from page 62 of Verizon’s 2012 Data Breach Investigations Report:
Below you’ll find a few tips based on Verizon’s research into thousands of security breaches affecting companies like yours that use point-of-sale (POS) systems to process customer payments. If none of it makes sense to you, please pass it on to management.
1. Change administrative passwords on all POS systems. Hackers are scanning the Internet for easily guessable passwords.
2. Implement a firewall or access control list on remote access/administration services. If hackers can’t reach your systems, they can’t easily steal from it.
After that, you may also wish to consider these:
3. Avoid using POS systems to browse the web (or anything else on the Internet for that matter).
4. Make sure your POS is a PCI DSS compliant application (ask your vendor).
If a third-party vendor looks after your POS systems, we recommend asking them to confirm that these things have been done. If possible, obtain documentation. Following these simple practices will save a lot of wasted money, time, and other troubles for your business and your customers.
For more information, visit www.verizon.com/enterprise/databreach (but not from your POS).
More Data Security Tips
In addition to the POS tips above, we also want to suggest the following for every small business that processes credit card payments:
5. Use password management software like LastPass to generate secure passwords.
- If you’re not already, we recommend using services like LastPass to manage your passwords. These services are great because they store all of your online passwords in one secure place that is only accessible by you (or anyone with your master password). This method allows you to avoid storing passwords in your browsers. If you’re having trouble coming up with a password that you think would be secure enough to use, LastPass can generate ready-to-use secure passwords for you.
6. Investigate and mitigate.
- It’s always a good idea to monitor your POS system constantly for any abnormal activity that indicates you are being hacked, such as the presence of malware or records of unidentified logins. Taking preventative measures will only help you in the long run.
- Most small businesses don’t find out they’ve been hacked until at least weeks after the attack has occurred. When you discover you’ve been hacked, make sure to notify your customers of the breach and the steps you’re taking to fix the problem as soon as possible to avoid any negative publicity or loss of business. A small business’ reputation is everything, so make sure your customers believe you’re looking out for their interests and are not part of the problem yourself.
For help with setting up your merchant processing system read our guide on How To: Accept Credit Card Payments.