eBay is the latest retail business to fall prey to online hacking. Reports say hackers were able to obtain employee credentials in order to access an estimated 145 million passwords and e-mail addresses of eBay sellers and customers. And, while eBay was hacked “in the cloud,” plenty of brick and mortar businesses have also fallen victim.
The arts and crafts retailer Michaels reported the theft of credit card information from three million customers over eight months. There was also Neiman Marcus, the most upscale victim, with an initial estimate of 1.1 million customers getting snared victims. The biggest headlines so far went to Target, when hackers stole the card numbers of more than 40 million customers and the personal information of another 70 million.
We can’t underestimate the impact negative publicity from data breaches can cause. Would you want to give your credit card to a business publicly known not to protect it? According to a recent study by Javelin Strategy and Research, one-third of shoppers say they will take their business to a competitor if their favorite retailer suffers a breach. That’s why Target’s revenue, earnings and stock price all plummeted after the company disclosed the breach—as did sales at Michaels and Neiman Marcus.
When you consider the cost of legal expenses and new security monitoring measures, the losses to a company can be staggering. In its fourth-quarter earnings release in February, Target reported incurred expenses of $61 million related to the breach, with additional charges likely to come.
What does it mean for Dunkin’ Donuts franchisees?
Like all businesses that use web enabled point of sale (POS) systems, Dunkin’ Donuts is just as vulnerable as any other retailer. Verizon’s 2014 Data Breach Investigations Report says that while “Recent highly publicized breaches of several large retailers have brought POS compromises to the forefront … from a frequency standpoint, this largely remains a small-and-medium business issue.”
That’s because thieves scan the Internet with automatic scripts looking for vulnerable POS devices. These auto-scripts issue likely access credentials to those they locate then install malware that collects and extracts payment card information. In fact, what makes Dunkin’ franchises vulnerable is its large number of POS devices. While an individual Dunkin’ Donuts getting hacked won’t generate the number of headlines that Target did, the franchisee could still expect it to negatively affect his or her local reputation—not to mention the breach-related charges, which could total $80,000 or more.
Like every other business that accepts credit card payments, the responsibility of complying with the Payment Card Industry Data Security Standard (PCI DSS) rests with the local merchant. While nothing can make a business 100 percent invulnerable to hackers, PCI compliance is the best protection against credit card data theft. Your merchant bank or ISO doesn’t cover your for PCI DSS compliance; it is always the merchant’s responsibility.
PCI DSS is very clear about what’s required to be compliant. You must address these key PCI DSS requirements:
• Build and maintain a secure network. Make it extremely difficult for hackers to get to your POS device.
• Protect card holder data. The best measure is to store all credit card data off-premises for access through a secure gateway.
• Maintain a vulnerability management program. Build in business practices that give you a proactive posture to quarterly vulnerability scans, rather than a reactive one.
• Implement strong access control measures. Make sure that only personnel with an absolute need to access card-holder data are able to; then carefully monitor access.
• Maintain information security policy. The least-informed employee can be the weakest link when it comes to PCI compliance. Make sure every employee who accesses sensitive data on your network understands your store’s security measures and the reasons for them. •
Chad Leedy is director of Retail Compliance for ANX eBusiness Corporation