Why Data Security Concerns Small Businesses

Why Data Security Should Concern Small Businesses (and All Businesses, Really)

Given the culture of mainstream data security breaches we’ve been unwittingly thrust into beginning in about 2013, I think it goes without saying that PCI compliance is vitally important, not just in the world of payment processing, but in the world of business in general.

Oh, PCI compliance… I’m talking about that item that never fails to pop up on your credit card processing statement.  It’s that one thing you’re always billed for, no matter whether it’s in the positive (PCI compliance fee) or the negative (PCI noncompliance fee).  Funny little line item it is.

For some business owners, that’s all it will ever be – another annoying, unexplained little line item in an entire world of more pressing business issues.  Maybe something a bit like car insurance – an expense whose worthiness won’t be proven until the day of a catastrophic, metal-twisting wreck.  As a business owner, does a data security breach as you grow your business really concern someone like you?  Or, is this just a game the giants play while anyone smaller than Goliath watches from the bleachers?

Lately, all signs seem to say that yes, business owners – even small business owners – ought to be quite concerned with data security breaches.  Breaches are actually down worldwide from two years ago, but, as our buying culture moves slowly but surely to credit from cash (and our general habits from physical to online), fraudsters and hackers see the channel as a very viable road to profit.  Although PCI noncompliance is just one cause of data security breaches, taking a look at compliance and general payment security pointers can benefit all business owners, as security flaws are usually extremely correctable.

This piece isn’t meant to alarm you; instead, it’s more of a wake-up call for businesses who’ve relegated PCI compliance to the back burner – or, didn’t put it on the stove at all.  Better at least cover that pot if you’re keeping it out overnight.

So, what is PCI compliance, then?

Basically, it’s the security of credit card information – that is, how safe you’re keeping it when and if you’re storing it.

Some aspects of PCI compliance are thoroughly under your control.  For example, when faced with the decision of whether or not to copy down a customer’s credit card number to enter into your accounting system or credit card terminal later, you can choose not to, knowing well that paper trails, even destroyed ones, can increase your fraud liability.

And, other aspects are thoroughly out of your control.  For example, you may be using a payment processing program that keeps unprotected credit card information stored on your business’ server (and, though it sounds crazy, there are programs that do just that).

Do you have a Target (or a Home Depot) on your back?

It’s an unfortunate circumstance of today’s media coverage that the big guys get most (if not all) of the attention, while the little guys get next-to-nothing.  Contrary to what you may have heard, small businesses are a favorite target for hackers.  This white paper shows that 70% of all reported data security breaches happen in small businesses – a truly incredible, harrowing statistic, telling a much different story than the one you’d understand by only reading headlines. 

The headline stories make sense; compared to the enormity of the Target and Home Depot data breaches, the small business ones are…well, quite small.  Though they may be small enough to dip underneath the radar completely, they’re certainly a big story to the business owners they affect.

Data breaches can be murder

I don’t mean for you as a person, obviously.  But, to your business?  That’s a yes.  The National Cyber Security Alliance stated in a report that when a small business is hacked and has its customers’ information compromised, it has a 60% chance of closing its doors within six months of the attack.

When you look at that statistic in tandem with the aforementioned one about how 70% of all reported data breaches occur in small businesses, it’s not quite a death sentence for small businesses – but, it’s close.

Especially in our age, hackers and fraudsters are more skilled than ever before, and, they’re very aware of the fact that small business owners think they’re too small to be viable targets for information breaches.  Incidentally, they’re also too small to be seen by most anyone when they’re broken into, so nobody ever thinks to change their own security tactics until ex post facto.

Don’t be the next unseen statistic

You don’t have to be another story nobody hears about.  Now that you know about all this negativity, you’ll be quite pleased to know it’s not difficult at all to protect yourself from invisible hackers and others who don’t have your best interests in mind.

Regardless of security breaches caused by hackers, it’s pretty easy for anyone to straighten out a rumpled piece of paper you used to copy down someone’s credit card number.  Indeed, this isn’t what most people think of when they hear that term data breach, but if anyone recovers that trashed piece of paper you used, you’ll be liable for any consequences that may arise just the same.  Just resist the urge to engage in that practice, and, if you’ve absolutely needed to do so in the past (for business procedures, direct orders, or any other reason), it may be time to revise standard procedure.

Additionally, if you use a computer-based credit card processing system that stores full, unprotected credit card numbers on your own server (read: is not PCI compliant), it’s time to look into an updated solution, something that fits today’s security standards.  Solutions that employ tokenization technology, for example, break sensitive data into strings of random numbers when in storage, so anyone who successfully breaks into a server storing the information doesn't get anything worthwhile - only garbled strings of characters.

If you used a cloud-based processing system, for example, you wouldn’t be liable for a data compromise the same way you would if you used something that stored information on your own servers.  If you aren’t sure about the status of your own processing system (for example, where it stores information, whether or not it’s even cloud-based), it never hurts to ask your credit card processor or search for reviews of the product you use that relate to PCI compliance and data security in general.

So, what is the value of PCI compliance to small businesses?  It’s much more than a little line item on your statement; the very survival of many businesses depends on it.  Be absolutely sure your own business maintains PCI compliance to avoid any potential pitfalls, and rest easy knowing that your customers’ payment records are safe because of something you did for your business.  Because, as a small business owner, you’ve got a lot more to pore over than fretting about losing your business because of an entirely avoidable data security lapse.