Top 3 conversations to have with your customers about cybersecurity
You wouldn’t hand a new driver a car without making sure they’ve learned safe driving practices first, right?
As the one equipping your small business customers with their technology, providing them with the know-how to avoid becoming a victim of various cybercrimes is just as important as selling it to them in the first place.
Especially if your clients are going to use fintech that collects and processes sensitive data and financial information. They need to know how to keep it secure. Otherwise, they’re putting themselves, their customers and their businesses in danger.
You can help your customers avoid risks and feel in control of their security. But if you aren’t sure where to start, don’t worry. Simply read on.
We’re going to cover the top three topics you should talk to your customers about, including the specific threats they pose and solutions to stop them.
Before we jump in, remember that security is an ongoing, ever-evolving conversation. Consider this your guide to getting that conversation started.
When kicking off this compliance talk, start with the basics.
First, make sure your customers understand that if they accept credit or debit cards, they have entered into a merchant agreement with the major card brands: Visa, Mastercard, American Express, Discover and JCB. In exchange for the ability to accept cards, they agree to comply with the PCI Data Security Standards (PCI DSS) to ensure the sensitive card data they’re processing, handling, transferring and storing is protected.
Next, it’s a good idea to cover the many vulnerabilities businesses face due to the resourcefulness of today’s cybercriminals.
Start by explaining where the need for these global security standards arose from, or rather, what specific threats they were created to combat. Feel free to share the following definitions directly with your clients:
Hacking: The process through which people, bots or algorithms systematically test, find and exploit weaknesses in a business’ data security defenses. Once inside the system, hackers are able to deploy malware programs to gain control over sensitive data. We call this a data breach.
Malware: This is phase two of hacking. Once they’ve breached a system, cybercriminals deploy a software program that's designed to invade and disrupt a computer network to gain unauthorized access to sensitive information. Malware captures information, spreads it to other systems and rewrites program codes to render an entire system vulnerable to hacks. It can operate secretly for extensive stretches of time, leaking or transferring important data to hackers all the while.
Ransomware: The name says it all: A ransomware attack is malware that holds a business’ data captive until they pay a ransom to get it back. It accomplishes this by encrypting or disguising the data, then demanding the victim pay a ransom, often in cryptocurrency, in order to gain access to the encryption key that will decode and restore their files.
If your customers have worry lines between their eyebrows at this point, this is the perfect time to dive into detail about those security standards we mentioned earlier.
Start by reminding them that PCI DSS is a set of benchmarks that were created to show businesses how to safeguard cardholder data.
While it sounds simple enough to learn the rules and follow them, don’t let your customers make the mistake of thinking this is something they can check off their list once and forget about. Maintaining PCI compliance is a continuous process. If your customers don’t apply constant maintenance to their fintech security, they open their business up to vulnerabilities.
Brows still furrowed?
Try putting it to them this way: You wouldn’t skip locking your door when you leave the house tomorrow just because you locked it yesterday. Cybersecurity works the same way.
If your customers need a rundown of the complete list of PCI DSS requirements, you can give them this overview. Just note, it’s the newest version of PCI standards, PCI DSS v4.0, and addresses emerging cyber threats. Luckily, business owners have plenty of time to comply.
The current version of security standards, PCI DSS v3.2.1, will remain active for two years after March 31, 2022, but you can provide extra value to your customers by not only helping them comply with the current standards, but also familiarizing them with the new version ahead of time, so they can make a plan for implementing the necessary changes when the time comes.
PCI Data Security Standard - High Level Overview
Now, that’s a pretty big list. So what exactly should you hone in on when speaking with your customers about PCI compliance? Focus on the technologies available to help achieve and maintain PCI compliance.
Self Assessment Questionnaire (SAQ): SAQs can be lengthy and technically complex, so your guidance and expertise will be crucial in helping your clients complete them. But navigating SAQs alone is a tall order for any dealer. For a more scalable approach, consider partnering with a trusted provider whose solution can help you and your customers easily select and complete SAQs with expert support.
Antivirus software: While your customers are likely familiar with this tech that detects and eliminates viruses, it’s still a good idea to perform an analysis of what they currently have in place. Make sure the antivirus software they have installed is strong, being regularly updated and is scheduled for full system scans at least once a week to detect any malware that could be running in secret. Encourage them to scan for malware whenever they run into suspicious activity as well.
Firewall: While antivirus software detects any viruses that slip through, a firewall blocks them from entering in the first place. A firewall can be hardware, software or both, that acts as a barrier between your customers’ network and the internet to keep out unauthorized traffic. Experts recommend small businesses invest in a more robust hardware firewall to protect their network. Regardless of which kind your customers decide to go with, the important thing is that they add this critical layer of security and that their firewall is configured properly.
Secure remote access: The number one point of entry for attacks against brick and mortar businesses is insecure remote access. So this is a good rule of thumb to give your customers: Only allow remote access when absolutely necessary. Encourage them to establish security policies that limit use of remote access and to request that their vendors disable it when it’s not immediately needed. Another good practice is to require multi-factor authentication and unique credentials in order to gain remote access. And don’t forget to be mindful of your own use of remote access if you use it to troubleshoot and run updates on your clients’ systems.
Unlike PCI compliance, phishing is probably something your customers have been exposed to in their personal lives as it targets everyday people through communication channels. But protecting personal accounts against phishing attempts and protecting a whole business against them are two very different things.
Your goal is to help them understand this difference.
Let's dive in.
All phishing is a type of social engineering, or psychological manipulation through human interactions. Typically, a fraudster will investigate the intended victim, gather information on potential points of access or weaknesses, then move to gain the victim’s trust in order to get them to break security protocol. This is often a cybercriminal’s gateway to payment fraud, with roughly 90% of data breaches being caused by phishing.
What makes phishing so tricky is that it can be hard to spot.
For small businesses specifically, these are the main types of phishing you should warn your customers to look out for:
Phishing: At its core, all phishing is the use of fraudulent messages designed to fool a victim into taking a harmful action, such as unknowingly handing over their data. Scammers extract sensitive information from cardholders and businesses alike in a number of ways, including vishing (voice phishing or phishing done by phone), smishing (SMS or text message phishing) and angler phishing (phishing done via social media direct messages).
Spear phishing: Have your customers think of this as a focused approach to phishing. While some phishing attempts are sent out at random to a mass list, spear phishing is a highly specialized attack, targeting specific individuals or groups within a business. Spear phishing scammers often research the target prior to their attack and tailor their messages based on job positions, contacts of the victim and more personal details to make them difficult to detect.
Whaling: With this type of phishing attack, the fraudster impersonates someone high up in the organization like the CEO, a senior colleague, or in your customers’ case, the business owner. The scammer will often target another high profile individual at the organization and include an urgent request to perform a specific action such as making a purchase on the sender’s behalf. Whaling attacks can also be aimed at stealing sensitive information or gaining access to computer systems.
Once you’ve covered the many faces of phishing scams, let your customers know that their best defense against it is employee training.
Aside from the business owner, employees are often the primary target of phishing emails. So instructing your customers to build a company culture of cybersecurity through offering regular awareness training or workshops is your best bet.
Be sure to emphasize that education starts at the top.
When helping your customers understand how to spot phishing attempts, call out these red flags:
Threats of account closure or other serious consequences if the reader doesn’t take action
Requests or demands to share sensitive data
Sense of urgency
Spelling errors and strange grammar
Email addresses or links that don’t match the sender’s domain
If your customers or their employees do receive a suspicious email, make sure they follow these steps:
Don’t click on anything in the email
Don’t open any attachments
Search the sender’s company online
Call the phone number listed on the company’s website and ask about the issue directly
Report the email as a phishing attempt
The bottom line? Protecting a small business against phishing takes a village, but it’s possible with the right training.
EMV chip card acceptance
Our final topic has to do with your customers’ POS systems. Over the past few years, chipped cards have grown to represent the majority of payment types. Today, we’re living in a world where EMV is the norm.
And while you might know the ins and outs of EMV like the back of your hand, for many, the switch from swiping to dipping their credit cards was just that — a change. Surprisingly, the reason behind why the switch was made is not as commonly known as you might expect.
So consider taking a moment to talk through exactly what this technology was designed to prevent if you have customers who are:
Put it to your customer plainly: Not processing chip cards with an EMV enabled terminal makes them a perfect target for counterfeit card fraud.
What happens after fraud has taken place? When that customer sees a fraudulent purchase on their billing statement, they will likely dispute it by filing a chargeback, or asking their bank to reverse the transaction. If the bank finds the cardholder’s claim to be valid after investigating, they will then issue a chargeback.
At this stage, the amount of the original sale will be deducted from your client’s account and refunded to the cardholder — essentially forcing them to pay for their own inventory twice. And your client’s business will be hit with a chargeback fee.
On top of that, if your customer gets one too many chargebacks, they could face even more serious consequences from the card brands. We’re talking consequences as crippling as their business getting banned from accepting debit or credit cards at all.
This scenario is bad for your client, bad for the customer experience and bad for business.
Okay, enough doom and gloom. Time to tell your clients something good: EMV chip card technology changed everything in making transactions more secure. All they have to do is encourage their customers and employees to dip or tap debit or credit cards at checkout instead of swiping them.
When explaining this, make sure they understand why a seemingly small change makes such a big difference: With EMV cards, a unique transaction code that disguises the data in the chip is generated every time the card is dipped or tapped — and it can’t be used again. So if a criminal tried to skim a chip card, they would be disappointed since the specific code they stole would be invalid for future purchases. Any attempted transaction for that duplicate card would get denied.
That’s why it’s so important your customers are EMV compliant. In other words, they need to upgrade their POS equipment to securely accept and process EMV chip card technology.
If your client isn’t sure whether or not they’re EMV compliant, or they believe they are but you know they’re not, put them to the test with this scenario:
A customer is at the checkout counter and asks if they can insert their card into the slot of the store’s card reader. If the employee working checkout has to instruct the customer to swipe their card instead because there is either a) not an option to insert their card or b) that option is currently not working, they're accepting liability for fraud.
If your customer is still not ready to shoot EMV capability to the top of their list, consider reiterating the consequences: If they do not have POS equipment that supports EMV payment technology and fraud occurs, they will likely be held liable for any counterfeit fraud charges and the associated fines. And it will cost them.
So, what’s the safest route? Make sure you have EMV-enabled technology to offer your customers and that you continue to urge them to let you implement it.
Explore secure solutions
If you’ve solved some problems for your customers and helped them create a solid cybersecurity strategy by the end of these conversations, great! If you’ve identified other areas where they might need help strengthening their security, even better.
Remember, these three conversations about cybersecurity threats and how to protect against them are meant to help you open up a channel of communication with your customers to use throughout the duration of your working relationship.
And as with any good conversation, listening is paramount. As you work through the guide, your customers will likely tell you where they need help or feel less than confident through the complaints they bring up as you talk. If you listen carefully, by the time you finish discussing this set of topics — or even find yourself off script due to your customer’s specific concerns — you’ll have a roadmap for how to provide value going forward.
If you want to back up your cybersecurity conversations with tangible solutions to keep your customers safe, check out Heartland’s offerings.
Heartland Secure™ delivers EMV, end-to-end encryption and tokenization technology. Heartland also offers a comprehensive breach warranty to all customers who use Heartland Secure solutions, at no additional cost. Beyond that, our POS and payment processing solutions make PCI compliance a top priority, taking out the guesswork for you and your clients.
Not a Heartland dealer yet? Discover all the ways we can help you grow your revenue stack and become part of the Heartland dealer channel today.
Heartland is the point of sale, payments and payroll solution of choice for entrepreneurs that need human-centered technology to sell more, keep customers coming back and spend less time in the back office. Nearly 1,000,000 businesses trust us to guide them through market changes and technology challenges, so they can stay competitive and focus on building remarkable businesses instead of managing the daily grind. Learn more at heartland.us.