Preventing data breaches: A crash course in fintech security for small business
Who keeps gold in a shoebox? In the backseat of their unlocked car?
You might be surprised to learn it happens all the time. In fact, someone somewhere is doing that right now. That someone could be you.
Of course we’re not talking about literal gold. But we are talking about something else that’s worth its proverbial weight in the stuff. That’s sensitive data.
As a business owner taking credit card payments, you’re sitting on piles of it. You have an obligation to transform that shoebox into a vault and that unlocked car into a padlocked door, guarded by a professional security team. After all, not doing so could mean serious consequences for your customers and your business. But the right strategy and fintech solutions and support can put you in control of protecting valuable, sensitive data and leave you feeling more secure than ever.
In this blog, we’ll cover all of that and more, including:
Who is responsible for data security
Your role in complying with PCI DSS
Current and common cybersecurity threats
Consequences of data breaches
Steps you and your fintech provider can take to lessen risk
How Heartland approaches security
Data and fintech fuel modern business
Today, data is everywhere because it’s at the heart of everyday business. Personal data is transferred millions of times per day between millions of different recipients. Ecommerce and the rise of fintech drives it all. "Fintech" is a portmanteau of the words "financial technology" and describes hardware and software that makes it easy for people to digitally move money. That includes financial services that cover anything from applying for funding to cutting payroll checks.
Fintech also includes technology that makes it possible for businesses to accept and process payments, like a point of sale (POS) system, virtual terminal and payment processing. In this blog, we’ll use “fintech" to refer to those specific things.
Why the focus on payment processing, POS systems and credit card data? Because you rely upon those tools to run a profitable business every second of every day. It’s also important to cover because payments data is the type of information cybercriminals - or hackers - want most. Names, credit card numbers, financial data, bank account numbers, addresses and other pieces of sensitive data are all they need to create counterfeit debit and credit cards and use them to make unauthorized purchases.
Data protection and data security are everyone's responsibility
In fact, some of the largest data breaches in retail history involve stolen credit card data. In September of 2015, 56 million Home Depot customers’ credit card information was exposed by hackers. TJX — the owner of several retail brands, including TJ Maxx, Marshalls and HomeGoods — suffered a data breach that exposed 45.6 million credit and debit card numbers.
Those breaches represent big scores for hackers. But major organizations with huge transaction volumes aren’t the only ones at risk. According to CNBC, small businesses have become a favorite target for fraudsters, who commit 43% of online attacks on mom and pop shops. Ultimately, everyone is vulnerable to data security breaches. And everyone has a responsibility to minimize those vulnerabilities — including you and your fintech provider.
PCI compliance is crucial for every business
If you accept credit or debit cards, you have a merchant agreement with the major card brands. You also likely use a POS system and partner with a fintech company who processes those payments. In exchange for the ability to do so, you, your POS provider and your payment processor have all agreed to comply with established data security standards for the safe handling of sensitive cardholder data.
What is PCI DSS compliance?
Visa, Mastercard, American Express, Discover and JCB make up the Payment Card Industry (PCI) Security Standards Council. The council formed in 2004 to protect the growing amount of credit card data merchants and processors were handling, transferring and storing. Around the same time, the council created the PCI Data Security Standards (PCI DSS).
PCI DSS is a set of benchmarks that show businesses how to reasonably care for and safeguard cardholder data. If you accept credit or debit cards, you have agreed to follow those security standards. And if you’re consistently abiding by each of those standards you are upholding that agreement by maintaining your PCI compliance.
The key words here are consistently and maintaining, because complying with PCI security requirements isn’t a one-time task or project. It’s a state of being. It’s important to ensure the standards are woven into your day to day operations and culture. Keep in mind that just because you meet them once, doesn’t mean you couldn’t get breached if a vulnerability popped up in the future and went unaddressed. With 480 cyberthreats launched every 60 seconds, an ongoing commitment to security is the only way to truly protect your business and your customers.
One important aspect of PCI DSS compliance for small businesses is using fintech equipment that meets the Council’s security standards for technology applications like point of sale systems. The Payment Application Data Security Standard (PA DSS) is a separate set of requirements that fintech solutions must meet in order to be considered PA DSS-validated. Basically, PA DSS-validation means your provider follows requirements set by the Council to develop secure functionality that enables businesses to remain PCI compliant while using the technology. Validation is something a fintech provider seeks for the solutions they sell. According to the Council’s website:
The goal of PA DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.
As a business owner, you don’t have to achieve PA DSS, but you must use a PA DSS-validated solution in order to maintain your PCI compliance. If you’re not sure whether your technology equipment is validated, a simple search on the PCI website can help you find out. If your provider’s solution isn’t certified or the validation has expired, looking for a new solution should be one of your first steps toward improved data security.
If you do need to upgrade your old, non-validated equipment, make sure your fintech provider offers solutions that have been evaluated and validated by the Council.
Data security risks are everywhere
Now that we’ve covered how valuable data is and who’s charged with keeping it safe, let’s explore a few techniques hackers use to breach digital defenses:
We’ve used the word “hacker" a lot so far, but it’s important to cover exactly what that means. Hacking describes the process by which people, bots or algorithms systematically test, find and exploit weaknesses in a business’ data security defenses.
Once inside the system, these unauthorized users often deploy various software programs — called malware — to gain control over how sensitive data is stored, shared or accessed by the people who have legitimate claim to it. If you’ve been hacked, you’re experiencing a data breach.
Malware is any software program that’s designed to invade and disrupt a computer network to give criminals unauthorized access to sensitive information. Malware can operate secretly for as long as it takes for someone to notice it, constantly leaking or transferring important data to hackers. For example, the malware program that caused the notorious TJ Maxx breach ran undetected for over a year.
Most malware works covertly, capturing information, spreading to other systems and rewriting program codes to make your entire system more vulnerable to hacks. They do that by searching for vulnerabilities in other computers on your network, making themselves invisible to antivirus scans and more. But not all malware is subtle.
Although the first ransomware attack happened in 1989, this technique gained widespread attention in 2013 when the CryptoLocker attack infected over a quarter of a million computers and delivered a $3 million windfall to hackers. And it’s on the rise. Verizon’s 2021 Data Breach Investigations Report shows that ransomware attacks have more than doubled since last year.
So what is it? Essentially, it’s malware that encrypts or disguises your data, whether it’s stored on an individual hard drive, a network of computers or even the cloud. You must pay a ransom - often in cryptocurrency - to gain access to the encryption key that will decode and restore your files.
Businesses are essentially inoperable until the ransom can be paid. And even after that, there’s a good chance that some files or data will remain encrypted or be lost altogether. One of the most common ways hackers deploy ransomware is through phishing (we’ll cover that later).
Data breaches cost small businesses big
You may be thinking that PCI compliance and fending off hackers will eat too much time or money. But the consequences of not doing it are major, and could deal a fatal financial blow to a small business. CNBC reports that the average cyberattack costs small businesses $200,000. And that 60% of them close their doors within six months of being hacked.
Let's explore what life looks like for a merchant after a breach. Common challenges include:
You may be wondering what that six-figure dollar amount includes. The costs to perform an investigation starts things off. When a merchant has been the victim of cybercrime, they are often responsible for facilitating a forensic investigation to see where things went wrong. While the results from these studies can be enlightening, they can be expensive to fund.
Once the investigation is over, various institutions will levy fines and penalties. For example, if a merchant has been breached and lost their customers’ credit or debit card data, they will be fined or receive monetary penalties from their payment processor and financial institution. Additionally, if the card brands have to issue new cards to customers, they will pass that cost on to the merchant, who also may face penalties for being noncompliant with PCI DSS.
The investigation may also yield suggestions on ways to improve data security, including adopting new technologies, processes, training programs and more. Although valuable, these recommendations can be expensive to implement and sometimes they’re even required in order to continue accepting credit card payments.
If a cardholder experiences identity theft or catastrophic financial consequences as a result of their information being hacked, they may file a lawsuit against the business that was charged to protect it.
The PCI DSS Guide says that state and federal governments with laws around data security may become involved. The Guide also reports that the costs associated with any kind of legal action can make the penalties levied by banks, processors and card brands seem miniscule in comparison.
Repeal of card acceptance privileges
Any merchant who experiences a data breach, doesn’t remit penalties or fines, and can’t show improved security measures over time may find themselves unable to accept credit cards.
The PCI Security Council has the authority to ban a merchant from being able to accept their cards as a method of payment. Considering that the majority of in-store or online purchases are made using credit or debit cards, a banned merchant could have a tough time operating profitably — or at all.
Loss of consumer trust
When you think about it, the bond between a customer and merchant is one that’s built on confidence. Without a second thought, customers give you access and control over some of their most valuable data, trusting you to use it honestly and keep it safe. Card numbers, names, addresses, birthdays and more. Once you’ve been breached and your customers find out, they are naturally going to think twice about doing business with you.
They may also affect your ability to gain new customers. Word of mouth spreads fast, and customers who have been exposed through a breach will likely share their story with others.
Follow PCI standards to help prevent a data breach
It’s understandable if all of this seems overwhelming. But it doesn't have to be. The good news is you can keep your business’ and your customers’ data safe. And you don’t have to do it alone.
For starters, the PCI standards are essentially a very detailed guide of what to do. Although there are a lot of steps to follow, many of them are fairly basic and match common sense measures you likely already take, like keeping your passwords secure.
For more complicated steps, like building and maintaining a firewall, there are affordable third-party resources you can use to help. And if your business processes and systems are large or complex, or you’re just not up to the task, there are PCI-compliance assistance programs on the market that are worth every penny.
Data security tools and tips for merchants
Hackers have a lot of tools at their disposal. But so do you. To put your mind at ease, we’re going to cover some of the key steps you’ll take on your journey to PCI compliance and protecting your data goldmine:
Use antivirus software
You probably have some version of antivirus software on your computer right now. But just like PCI compliance, it isn’t something to just set and forget. Update it as often as needed. The program itself usually lets you know when it’s time. Even though those updates tend to interrupt your work, require restarts and generally feel like a pain in the neck, do it. It’s worth it.
Also, set it to run an antivirus scan at least once a week. And don’t hesitate to scan for malware anytime you encounter suspicious activity. According to the Federal Trade Commission, your system may have been hacked if any computer on your network:
“suddenly slows down, crashes, or displays repeated error messages
won’t shut down or restart
won’t let you remove software
serves up lots of pop-ups, inappropriate ads, or ads that interfere with page content
shows ads in places you typically wouldn’t see them, like government websites
shows new and unexpected toolbars or icons in your browser or on your desktop
uses a new default search engine, or displays new tabs or websites you didn’t open
keeps changing your computer’s internet home page
sends emails you didn’t write
runs out of battery life more quickly than it should"
Invest in a firewall
While antivirus software scans your existing computers and network, a firewall acts like a bouncer for online traffic. It can stop malicious software from infecting your network. Chances are you already use one to protect your personal or home computer. But did you know the PCI DSS mandates them for business computers and networks too? Under the first provision, among other requirements, merchants must:
“Build firewall and router configurations that restrict all traffic, inbound and outbound, from ‘untrusted’ networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment," and
“Prohibit direct public access between the Internet and any system component in the cardholder data environment."
So what type of firewall will help you meet the standard? PCI DSS language asks merchants to install “a personal firewall software or equivalent." But you may want to consider a stronger defense.
Typically, home computer users rely on a software firewall for protection. While that’s a perfectly safe solution for one personal device, most experts agree that a software firewall isn’t robust enough to protect entire networks. That’s why they recommend small businesses invest in a hardware firewall to block attacks against multiple computers.
Train your employees
The people inside your organization are the biggest targets for hackers. Luckily, they can also be your best line of defense against a data breach. Teach your teams to adopt the following security practices:
Spot and report phishing: Earlier we mentioned that most ransomware infects a network through successful phishing tactics. Hackers use official-looking emails, texts and websites to pressure recipients into sharing sensitive information quickly. Most phishing emails will have subtle red flags, including spelling mistakes and email addresses that don’t match the sender’s domain.
Tell your employees to refrain from clicking on, saving or sending a message they think might be a phishing attack. Ensure they report it immediately instead of attempting to investigate it themselves. Once you are aware of the suspicious message, you can take steps to verify it and protect your network.
Create strong passwords: It’s definitely easy to remember “1234." Unfortunately, overly simplistic passwords are also easy for hackers to guess.
Ask employees to create something secure, but memorable, so they don’t have to write it down or save it in an Excel sheet. Ensure they include numbers and special characters, like exclamation points or question marks. It’s also helpful to use both uppercase and lowercase letters.
Keep passwords secure: Creating strong passwords doesn’t go very far toward security if anyone can easily see or access them. Ask team members to refrain from sharing their passwords with others, or writing them on sticky notes posted around the computer. Keep them in a secure place where access is limited and monitored.
A password manager program can make this easier by generating strong passwords — so you don’t have to rely on employees to do so — and storing them in an encrypted file. That means the data in the file is only visible to the person with the master password, which would ideally be you. You may also want to consider implementing multi-factor authentication for an added layer of security.
Report suspicious activity as soon as possible: We’ve already mentioned this, but it bears repeating. The damage caused by viruses and malware is directly proportionate to the amount of time they are allowed to run. If your employees encounter any suspicious activity, ask them to report it immediately.
A lot of team members may feel compelled to help by researching or attempting to troubleshoot issues themselves. Make sure they know that the best way for them to defend against hackers is to stop working on their computer and raise the alert.
While this list isn’t comprehensive, it is a good place to start fulfilling your end of the data security bargain. Now, let’s dive into how your POS and payments functionality should help.
Data security for fintech providers
You may be thinking that this part of the blog isn’t necessarily for you. But that’s not the case. Even though we’re talking about ways fintech providers should keep data safe, it’s crucial that you — as a merchant — know what they are. That way, you know what kind of security measures to expect from your POS dealer and payment processor.
We’ve touched on how it’s important to use PA DSS-validated fintech equipment. But it’s also important that the solution you choose empowers you to meet the PCI DSS. Make sure you partner with a payments processor that minimizes your liability by encrypting card data within a secure acceptance device and using tokenization for stored data. That way, there’s no viable card data exposed during the transaction or saved in your business’ systems. No credit card data storage = lower risk.
This may seem like a confusing proposition. After all, isn’t encryption the reason ransomware attacks are successful? While that’s true, encryption in this case is a good thing. Because your payment processor has the key and the means to keep it safe from hackers.
Encryption in this sense essentially turns sensitive credit card data into an unreadable, nonsensical value. It’s impossible for anyone to read, without the decryption key shared between the involved financial institutions and payment processor. When credit card numbers appear as random gibberish, they’re worthless to the average hacker and significantly less valuable to even the most sophisticated crime rings. It’s important that any provider you use employs end-to-end encryption, so that all payments data is hidden and secure throughout the authorization process.
It’s vital that your fintech provider offers tokenization, particularly if you process card on file recurring payments necessary for subscriptions or memberships. In this process, sensitive data is replaced with “tokens" which take the credit card information out of the equation, keeping it hidden from thieves. These data security measures — along with the solutions we’ve mentioned throughout this blog — work like your business’ very own security team.
How Heartland approaches security
Data security has evolved rapidly over the past few decades in order to keep pace with modern criminals. And Heartland has too. We’ve helped millions of small businesses protect themselves with the security solutions and support they need to thrive.
With our secure POS and payment processing solutions, it’s easy to comply with PCI and mitigate your business’ risk of a data breach. Heartland's payment processing helps keep your customers’ sensitive data safe and secure with encryption and tokenization. Plus, our reporting capabilities make it easy to monitor transaction activity and spot suspicious entries.
We also offer an unprecedented breach warranty to all merchants who are Heartland Secure and employ Heartland Secure-certified devices — for as long as they’re processing with us — at no additional cost. You can also count on ‘round-the-clock assistance from US-based live agents.
In this modern age, you’re sitting on a goldmine of data and facing multiple security challenges. Hackers will stop at nothing to break through your defenses and gain access. But with new threats come new defensive tools that make it easier than you might think to confidently protect your business and customers from the devastation a data breach can bring. If you’re ready to make serious strides toward a solid data security strategy and looking for a fintech partner you can trust, contact us today.