Data security breaches are frequent news. Risk Based Security’s recently released Q1 2018 Data Breach QuickView Report, indicates that there have been nearly 700 breaches already this year, from January 1 to March 1, 2018. It also states that this number is a decrease from the year before, when the number for the same timeframe was more than a thousand.
While breaches remain a very real issue for many retailers, it is not a topic often discussed among the small businesses that predominate vending, micro market and office coffee service. Operators don’t feel at risk, or believe it is the cashless service provider who would be liable should a breach happen. These could both be true, the latter depending on the contract; however, neither changes the reaction of the customer.
“It is usually the processing company that has the breach, but no one knows them,” said Michael Kasavana, MSU/NAMA Professor Emeritus, who has written a whitepaper on data security and presented educational seminars for NAMA on the subject. “Therefore, the blame gets put on the retailer. You’ll get the bad rap regardless of whether it’s something you may not have been responsible for doing.”
The threat for operators who aren’t concerned about data security is that it can still make customers lose faith and restrict business with that service provider. To mitigate the risk of attack as much as possible, it’s necessary to understand the basics and ensure payment providers are complying with current payment security standards.
Hitting close to home
In July of last year, micro market supplier Avanti Markets announced that it had been the victim of a malware attack on its credit card data. It shook the industry as this was the first vending, micro market or office coffee service company to acknowledge an attack as well as publicly discuss the issue. John Reilly, president of Avanti Markets, spoke at the 2017 NAMA CoffeeTea&Water Show about the experience saying, “Breaches can occur under the most mundane of circumstances...if it could happen to us, it could happen to any company in our industry.”
He reiterated the importance of having a plan to prevent, address and recover from a data breach, as well as continuously reviewing and updating the plan. Educating employees was another topic, Reilly mentioned, as unintentional opening of a malicious email can often allow entry into the company’s network.
“Educate staff how to deal with confidential information as they can be the conduit that can open access leading to a data breach,” he said.
Much of the best practices related to data breach prevention, detection and recovery are covered in a best practices guide found in the NAMA online store. It is a great resource written by Kasavana for operators looking to delve deeper into cyber security. For small and medium operations who contract out payment services, there are still things to know for proper risk management.
A common acronym associated with payment data security is PCI, used in terms such as PCI certified or PCI compliant. PCI stands for the Payment Card Industry and many companies use it to refer to the longer PCI DSS (Data Security Standard) which encompasses the security component of data processing. It is the standard used in the U.S. to ensure consistent assessment of payment data security. Kasavana has produced a whitepaper on PCI DSS and different aspects of certification as it relates to the convenience services industry called Understanding the Payment Card Industry Data Security Standards (PCI DSS), also available from the NAMA online store. Within the paper, Kasavana discusses the different levels of security included in PCI DSS, including Merchant Level 4, which is the level most vending, micro market and office coffee service operators would be classified under.
“There are four levels of PCI security levels,” said Kasavana. “Usually in the industry we are looking at level 4, which is the level relating to fewest transactions.” The criteria stated in the whitepaper is that level 4 means less than 20,000 Visa or MasterCard transactions annually. The other three merchant levels are divided by increasingly higher numbers of annual transactions. Level 4 validation requires completion of an annual self-assessment questionnaire, quarterly network scan by an ASV or Approved Scanning Vendor, and an attestation of compliance form.
By visiting https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement, and accepting the terms of a search procedure, operators can determine if companies they work with are current with respect to PCI DSS. Once the name of a payment processor is entered, information about its license, date last reviewed and expiration date will appear beneath the search bar.
If a company is not listed; however, Kasavana warns operators not to assume the worst. “It‘s not a straight forward search process,” he said. Most convenience service providers contract with a payment processor. That payment processor may be part of a network involving a secondary processor. It is likely that the secondary processor’s name needs to be entered into the search bar to verify PCI certification. Operators should ask for the name of possible secondary processors in order to verify a current level of certification.
PCI also offers guidance for small merchants who subcontract payment services. In the document PAYMENT PROTECTION RESOURCES FOR SMALL MERCHANTS: Questions to Ask Your Vendors, the organization lays out several topics to confirm with a payment service provider. Here are a few of the most relevant:
- Does our agreement with you include clauses that state that you will maintain PCI DSS compliance for your product/service (or become PCI DSS validated)?
- In the event that there is a data breach and your product/solution is involved:
- If I experience penalties, do you offer support and protection?
- How and when do you notify me if there is a breach?
- What monitoring for data breaches and suspicious activities do you provide?
- Does the vendor/service provider carry insurance to cover data breaches related to their product/solution?
- Does the vendor/service provider assist with notification of my customers in the event of a data breach and your product solution is the root cause?
PCI DSS enforcement
While PCI DSS offers a way to assess security, it’s not enforced by the PCI Security Standards Council, according to Kasavana. It is up to the payments processor to work with retailers to ensure compliance. Card brands may also impose fines and consequences to businesses that are non-compliant. The example Kasavana gives in his whitepaper is what happened to TJX.
TJX owns retailers such as TJmaxx and Marshalls and disclosed a breach in early 2007, which resulted in more than 100 million cards being exposed to fraud. Visa and Mastercard each brought a lawsuit against TJX, who settled for approximately $41 million and $24 million, respectively, in addition to the millions spent on the investigation and system upgrades.
Recovery in the event of breach
Dealing with the aftermath of a breach is not easy. Avanti Markets made a public announcement last year when it happened to them, which included frequently asked questions to assist operators and customers as a resource. The FAQ included information on what had happened, what the company was doing, what customers should look for and how individual fraud alerts and credit monitoring might help. Operators can use this as a model in developing their own plans should a breach occur, as well as providing talking points and resources for concerned customers.
Nothing can guarantee a company won’t incur a data security breach; however, it is still worth validating PCI DSS of payment partners. A PCI DSS investigation can greatly reduce the risk of a data breach. It is important to understand PCI, how to determine the compliance level of a processor and the liability involved should a breach occur. It is also advisable to have a plan in place for customers, just in case the worst happens.