The risk of a credit card security breach is serious business
Here’s the bottom line: any business that accepts credit card payments can be a victim of fraud. Well-publicized fraud attPracks such as those that have occurred in the past few years certainly aren’t the only attacks that do damage to businesses’ reputations and bottom lines. Despite best efforts by the major players in the financial industry to thwart credit card fraud, it is on the rise. Javelin reported that in 2014, about 31.8 million U.S. consumers were victims of a credit card breach. That number had increased by more than threefold from 2013.
Whether you process 20 credit card transactions each week or 20,000, you need to be aware of how fraud can affect your business.
Effects of a data breach
The effects of a fraud attack on your business can be monumental. Of course, you have to first consider the financial losses. According to a 2015 IBM study, the average consolidated total cost of a data breach is $3.8 million, which was a 23 percent increase over 2013. The average cost per-record stolen was $154. Consider if your payment systems are storing hundreds or even thousands of customer records. The losses your business can suffer could be well into the tens of thousands of dollars.
Another major effect of a fraud attack is on your business’s reputation. If you’ve suffered a breach, the majority of consumers are not likely to patronize your company in the future. According to a survey of 2,000 consumers by OnePoll, 86.55 percent said they were “not at all likely” or “not very likely” to do business with an organization that had suffered a data breach involving credit or debit card details (Source: CSO Online). Leave your business and systems vulnerable to a fraud attack—and risk losing a large majority of your customer base to your competitors that are doing a better job of securing sensitive data on their payments systems.
Credit card fraud in the United States
It’s important to realize that credit card fraud has been higher in the United States than in other major global economies for the past several years. This is due in large part to the fact that areas such as Europe began using EMV chip cards to help combat in-person fraud some years ago. In a white paper titled, “The Migration to EMV Chip Technology: EMV Implementation in the U.S.,” Pymnts.com reports: “EMV has been tremendously successful in preventing fraud. Wherever EMV has been implemented comprehensively, including the objective PIN verification by the chip, significant fraud reduction ratios have been achieved and sustained.”
EMV chip cards and fraud
EMV chip cards help combat fraud because the tiny computer chip embedded into the chip card creates a unique data string for each transaction that cannot be used in subsequent transactions. So, even if transaction data related to an EMV transaction is intercepted by hackers, the data cannot be used to successfully process future credit card transactions.
Check out these statistics on card-present EMV chip card use from EMVCo:
- From July 2013 to June 2014, 96.33% of card-present transactions in Europe Zone 1 (most areas of western and northern Europe) were performed on EMV cards. From July 2014 to June 2015, that percentage increased slightly to 96.94%.
- From July 2013 to June 2014, 75.9% of card-present transactions in Africa and the Middle East were performed on EMV cards. From July 2014 to June 2015, that percentage increased to 83.77%.
- From July 2013 to June 2014, just 0.03% of card-present transactions in the U.S. were performed on EMV cards. From July 2014 to June 2015, that percentage increased slightly to 0.26%.
As you can see, the number of card-present credit card transactions in the U.S. that were performed on EMV chip cards is miniscule in comparison with other areas of the world. Over 99 percent of card-present transactions in the U.S. were run on magnetic stripe cards. When hackers steal payment data related to magnetic stripe transactions, they can successfully use that payment data to run future transactions. For this reason, you can see why hackers would target the U.S. to steal valuable, useful card data.
The U.S. implementation of EMV and fraud
Beginning on October 1, 2015, the U.S. began our migration from magnetic stripe cards to EMV chip card technology. With the millions of plastic cards in circulation today, you can imagine what a large—not to mention costly—task this will be. Issuing banks have to reissue all debit and credit cards in EMV chip card format, and merchants must upgrade their POS terminals to accept the new EMV technology. Instead of swiping the card through a card reader, EMV chip cards are “dipped” into the terminal where they stay for the duration of the transaction while the unique data string is generated.
However, the U.S., adoption of EMV has been fairly slow. As of February 2016, The Strawhecker Group reported that only 37 percent of merchants were set up to process EMV chip cards (Source: USA Today). Those merchants who aren’t set up to handle EMV chip cards and suffer a data breach at their location that could have been avoided with EMV technology may be held liable for that breach. Make sure your business is protected against credit card fraud by upgrading your POS terminals to accept EMV chip cards at all of your brick-and-mortar locations.
How to protect your business against a payment card attack
- Make sure your customer data is always stored in an encrypted database
- Make sure you require multi-levels of passwords to access any database that contains customer information—and require these passwords to be regularly changed
- Make sure you periodically and regularly run background checks on all employees and contractors that handle customer data
- Make sure you have malware detection software running on both your servers (hosted or not) and workstations, and that your firewalls are fully functional and secure
- Make sure your review and implement standard network security health check controls (here’s an example)
- Make sure you have a disaster plan in place if a breach occurs
- Make sure your attorney has updated your business terms and conditions so your business isn’t held liable in the event of a stolen data incident
How the latest technologies can help protect your business from a data breach
Besides taking the above steps to make sure you have armed your business against fraud, the latest payments technologies can help your business stay secure. Partnering with a payments processor that takes security seriously, and then working with them to understand what your business needs, is the best way to protect your brand, your bottom line and your reputation.
Here are some payments technologies you may want to consider to help protect your business from a data breach:
- EMV chip card acceptance. As we reviewed above, making sure that you have POS terminals in place that accept EMV chip cards are a great way to protect your business from certain types of in-person payments fraud that can be avoided thanks to EMV technology.
- Encryption and tokenization. Encryption and tokenization are both methods of protecting sensitive cardholder data so that, in the event that hackers intercept it, it will be useless. Instead of transmitting full card numbers, for example, an encrypted string of characters (in the case of encryption) or a random token (in the case of tokenization) is sent over the network to complete a payment transaction.
- Breach protection. Today’s top processors go one step beyond just helping your business secure your systems against hackers—they guarantee it. Speak with your processor today about what sort of coverage they offer in terms of breach protection.
- Online security measures. If you process payments online, you’ll need to take some extra steps to safeguard your eCommerce site from fraud. Consider implementing an SSL (Secure sockets layer) certificate to protect the connection between your website and your customers’ web browsers, so that sensitive payments data can be safely transmitted. Require your customers to enter both their complete billing address associated with the payment card and the three- or four-digit CVV code. Fraudsters will sometimes not have this information when they steal credit card numbers, so requiring this information before you accept payment will help to bolster your online payments security.
Take the risk of credit card breaches seriously
No business that accepts credit cards is safe from the perils of credit card fraud. Don’t risk costing your business thousands of dollars—or even being forced to shut its doors—by not doing everything you can do to protect your systems. Suffer a data breach, and many of your customers will likely do business with your competitors in the future instead of you. Vantiv can help and counsel in arming your business against credit card fraud, so speak with our reps today to learn what we offer in terms of protection and support.