Why Data Security Concerns Small Businesses

Why Data Security Should Concern Small Businesses (and All Businesses, Really)

Given the culture of mainstream data security breaches we’ve been unwittingly thrust into beginning in about 2013, I think it goes without saying that PCI compliance is vitally important, not just in the world of payment processing, but in the world of business in general.

Oh, PCI compliance… I’m talking about that item that never fails to pop up on your credit card processing statement.  It’s that one thing you’re always billed for, no matter whether it’s in the positive (PCI compliance fee) or the negative (PCI noncompliance fee).  Funny little line item it is.

For some business owners, that’s all it will ever be – another annoying, unexplained little line item in an entire world of more pressing business issues.  Maybe something a bit like car insurance – an expense whose worthiness won’t be proven until the day of a catastrophic, metal-twisting wreck.  As a business owner, does a data security breach as you grow your business really concern someone like you?  Or, is this just a game the giants play while anyone smaller than Goliath watches from the bleachers?

Lately, all signs seem to say that yes, business owners – even small business owners – ought to be quite concerned with data security breaches.  Breaches are actually down worldwide from two years ago, but, as our buying culture moves slowly but surely to credit from cash (and our general habits from physical to online), fraudsters and hackers see the channel as a very viable road to profit.  Although PCI noncompliance is just one cause of data security breaches, taking a look at compliance and general payment security pointers can benefit all business owners, as security flaws are usually extremely correctable.

This piece isn’t meant to alarm you; instead, it’s more of a wake-up call for businesses who’ve relegated PCI compliance to the back burner – or, didn’t put it on the stove at all.  Better at least cover that pot if you’re keeping it out overnight.

So, what is PCI compliance, then?

Basically, it’s the security of credit card information – that is, how safe you’re keeping it when and if you’re storing it.

Some aspects of PCI compliance are thoroughly under your control.  For example, when faced with the decision of whether or not to copy down a customer’s credit card number to enter into your accounting system or credit card terminal later, you can choose not to, knowing well that paper trails, even destroyed ones, can increase your fraud liability.

And, other aspects are thoroughly out of your control.  For example, you may be using a payment processing program that keeps unprotected credit card information stored on your business’ server (and, though it sounds crazy, there are programs that do just that).

Do you have a Target (or a Home Depot) on your back?

It’s an unfortunate circumstance of today’s media coverage that the big guys get most (if not all) of the attention, while the little guys get next-to-nothing.  Contrary to what you may have heard, small businesses are a favorite target for hackers.  This white paper shows that 70% of all reported data security breaches happen in small businesses – a truly incredible, harrowing statistic, telling a much different story than the one you’d understand by only reading headlines. 

The headline stories make sense; compared to the enormity of the Target and Home Depot data breaches, the small business ones are…well, quite small.  Though they may be small enough to dip underneath the radar completely, they’re certainly a big story to the business owners they affect.

Data breaches can be murder

I don’t mean for you as a person, obviously.  But, to your business?  That’s a yes.  The National Cyber Security Alliance stated in a report that when a small business is hacked and has its customers’ information compromised, it has a 60% chance of closing its doors within six months of the attack.

When you look at that statistic in tandem with the aforementioned one about how 70% of all reported data breaches occur in small businesses, it’s not quite a death sentence for small businesses – but, it’s close.

Especially in our age, hackers and fraudsters are more skilled than ever before, and, they’re very aware of the fact that small business owners think they’re too small to be viable targets for information breaches.  Incidentally, they’re also too small to be seen by most anyone when they’re broken into, so nobody ever thinks to change their own security tactics until ex post facto.

Don’t be the next unseen statistic

You don’t have to be another story nobody hears about.  Now that you know about all this negativity, you’ll be quite pleased to know it’s not difficult at all to protect yourself from invisible hackers and others who don’t have your best interests in mind.

Regardless of security breaches caused by hackers, it’s pretty easy for anyone to straighten out a rumpled piece of paper you used to copy down someone’s credit card number.  Indeed, this isn’t what most people think of when they hear that term data breach, but if anyone recovers that trashed piece of paper you used, you’ll be liable for any consequences that may arise just the same.  Just resist the urge to engage in that practice, and, if you’ve absolutely needed to do so in the past (for business procedures, direct orders, or any other reason), it may be time to revise standard procedure.

Additionally, if you use a computer-based credit card processing system that stores full, unprotected credit card numbers on your own server (read: is not PCI compliant), it’s time to look into an updated solution, something that fits today’s security standards.  Solutions that employ tokenization technology, for example, break sensitive data into strings of random numbers when in storage, so anyone who successfully breaks into a server storing the information doesn't get anything worthwhile - only garbled strings of characters.

If you used a cloud-based processing system, for example, you wouldn’t be liable for a data compromise the same way you would if you used something that stored information on your own servers.  If you aren’t sure about the status of your own processing system (for example, where it stores information, whether or not it’s even cloud-based), it never hurts to ask your credit card processor or search for reviews of the product you use that relate to PCI compliance and data security in general.

So, what is the value of PCI compliance to small businesses?  It’s much more than a little line item on your statement; the very survival of many businesses depends on it.  Be absolutely sure your own business maintains PCI compliance to avoid any potential pitfalls, and rest easy knowing that your customers’ payment records are safe because of something you did for your business.  Because, as a small business owner, you’ve got a lot more to pore over than fretting about losing your business because of an entirely avoidable data security lapse.

Which is Worse: A Damaged Reputation or the Loss of a Key Employee?

Which is Worse: A Damaged Reputation or the Loss of a Key Employee?

This man isn't sure yet...but he'll know soon enough.

It’s an interesting juxtaposition.

Would your company suffer more from the loss of a key employee, someone who hit his numbers every month, has an exemplary track record with his clients, or whose visionary ideas helped shape the company – or a tarnished reputation brought on by an unforgivable social gaffe or, worse, a data breach revealing the personal information of countless customers?

In order to examine this fully, we’ll need to break it down into smaller pieces: The benefits of having a top-of-class employee working for you, and the negative effects of losing such a person in your workforce.  And, we’ll need to look at the payoff of having a great reputation versus the deleterious effects of having a bad one.

Benefits Brought by a Key Employee

Having a good employee at your disposal obviously carries a string of benefits. 

The work he’s assigned gets done, and, not just that – it’s meaningful to the company, so it ends up bringing in appreciable revenue, revenue which certainly would not have arrived if that employee hadn’t contributed his work. 

Having such an employee can also mean entirely new ideas for your company, from website tweaks that positively affect traffic and search engine ranking to an entirely new, successful product line. 

The possibilities are great.

Bad Effects of Losing that Key Employee

Conversely, what happens when that same employee that created all the extra revenue and had ideas no one else could muster ends up leaving your company?

Certainly you can ride on his ghostly laurels for a time.  But, after that time, you’ll start to see a decrease in revenue because the production that key employee brought to the table simply isn’t there.

 

In time, after the key employee leaves, you might have some vestigial remains of his handiwork (such as that tweaked website you’ve told his successor not to touch) or the new product line that someone else oversees, but you won’t get the innovation back.

In short, you’ll return close to the productivity and revenue levels you were at before.  Your current clients might not notice much – maybe a different voice on the phone – but, you will.

Benefits Earned by a Great Reputation

Good reputation, on the other hand, can be thought of as something that happens when you have a good employee working for you. 

You garner a good reputation when someone visits the website that your star employee helped revamp and has a much easier time checking out and paying for his order.  He might tell his friends how easy it was, and he might even mention how you seem to have diversified your product lines, too.  He might write a review on Yelp, for that matter.  But, the principle is the same.  Good reputation comes from people saying good things about you.

The good thing about good reputation is it outlasts your star employees.  Whereas your influx of keen ideas might slow to a halt if your star producer leaves, people will remember how they felt when they read his work, when they surfed on his website, or when they bought the products he conceived of.  And, they’ll come back for more.

Negative Effects of a Bad Reputation

And, conversely, as good as the effects of a sparkling reputation can be, the effects of a lousy one can be exactly as bad.  And, usually worse. 

You might inadvertently plant a seed of bad reputation by making a faux pas at a large social gathering for your business.  By comparison, you might plant a sequoia grove by inadvertently compromising your customers’ data in a data breach.

Now, we’ve all read negative reviews on Yelp.  Those reviews are the ones that seem to stick the most, and the ones that seem to arouse the most passion.  Without going into the psychology behind it, let it suffice to say bad reputation is a much bigger worry than good reputation is a boon.  Whereas people interpret your good reputation to mean you’ve done mostly good things, people usually interpret a bad reputation to mean anyone’s given experience with you will be unequivocally bad.  No bones about it.

And, what’s more is the fact that a good reputation can easily shift to bad, but a bad reputation has a much harder time turning over to good once more.  A bad reputation outlasts your star employees and your bad apples, too.

So, Which is Worse?  Losing a Key Employee or a Damaged Reputation?

After reading this article, hopefully the answer is clear as day. 

Losing an essential employee might look bad on paper, but you’ll not only retain a good deal of his innovations (in some cases), but you won’t be thought of negatively just because of his loss.  You might be thought of…not quite as well.  But, not badly.

If your reputation’s tarnished, though, forget about it.

Negative reviews on Yelp live on forever, and people glom onto those juicy, bad stories much more than they do positive ones.  I mean, what captivates us when we read books?  See movies?

It’s the conflict.  It excites us.  We can use it to our advantage, of course (for example, avoiding a place that has horrid reviews on Yelp), but that doesn’t change the fact that we’re drawn to it.

That’s just how it is.

How Can You Protect Yourself?

Believe it or not, this article shouldn’t read like a death sentence.  It’s very possible to garner a good reputation and keep it that way.  You just have to be smart.

If that means calculating more heavily what you say in social situations, so be it.  If it means turning the other cheek when someone calls you a name instead of flying off the handle, you can handle it.  If it means investing time into looking into a tokenized security solution - or any number of other data security measures -  for your customers’ secure information, it’s worth looking into.

MOTO Credit Card Processing is Dead

(or, 3 tips to make it in MOTO business today)

Well, you heard me.  MOTO credit card processing as it was known at its inception is dead.  What comes to mind when one pictures MOTO credit card processing?  A businessperson typing a card number into a credit card terminal, right?  The technology in those terminals is approaching the age of dirt.  And, even more importantly--because some of us enjoy collecting classic items--that old technology is responsible for 85% of the card-not-present downgrades on monthly processing statements and 75% of the shoddy reports generated by harried accounting staff members.

Okay, so I’m totally lying about the numbers.  The point—that transactions are downgraded terribly and reporting tools are nonexistent with physical terminals—is absolutely valid.  If there were a way to measure shoddiness of reports as a function of harriedness of accounting staff from the general crappiness of the quality of life due to the oldness of your physical terminal, there would probably be a positive correlation.

MOTO credit card processing as you probably know it has outlived its expiration date.  If you know it as something else than what I’ve described, be happy you didn’t have to live through the golden (expensive, stressful) years.  You don’t have to take notes today.  However, if you have no idea what could ever replace your credit card terminals in the scheme of your business, you’ve arrived at the right place.  It’s time to get down and dirty.

MOTO credit card processing tips

1.  With the internet all things are possible (especially improved payment technology)

The internet has improved human life tremendously—or, rather, it’s sped everything up and made it easier to pass information around.  How does this apply to MOTO credit card processing?  Well, nowadays, you have options other than the physical terminals you might be using.  Take, for example, the virtual terminal:

If you're not familiar, it'll look something like this.  Pretty nice UI, and intuitive reporting tools.

Important to know about your virtual gateway:

• You can access your online gateway from anywhere with an internet connection, not just your office.
• Most virtual gateways are equipped with built-in searching and reporting tools, which are absolutely invaluable for copy requests, other audits, and simply reporting things at the end of the day or month.
• Some virtual gateways can be equipped to integrate to your accounting system (like QuickBooks, or wherever else you might create and reconcile invoices), which brings about a whole host of other benefits.  There’s no better way to catapult your business into the 21^st century than with a payment integration—and, your accounting staff will agree.

2. You can utilize payment channels other than mail and telephone

I know MOTO stands for Mail Order/Telephone Order, but in the past decades, that business model has expanded to include online orders, either via email or shopping cart.  Strongly consider whether or not your customers would benefit from the addition of an email payment portal, or a web shopping cart.  Maybe your website isn’t much to look at, or—good heavens—maybe you don’t even have a website.  Whereas payment integration can help almost everyone, adding a web shopping channel might not be for you if you have a well-established client base and you aren’t worried about not attracting Joe Average consumers.  But…I would wager that this idea helps more businesses than it hurts.  I mean, adding visibility and more payment methods can never hurt.

Shopping carts give you access to SO much useful data!  Makes me want to start my own business.

Important to know about an online payment method for your customers:

• This is the age of automation.  Usually, if people have the opportunity to use an email portal or shopping cart for payment, they will.  That means orders come to you without you having to answer the phone.  And, that saves time.
• You can automatically import your online payment data to your virtual gateway with information from other payment channels (like telephone) and make your reporting even easier.
• Some shopping carts (like Magento) are designed to lower the base costs of accepting certain credit cards for payment.  Depending on your potential for online orders, this could be a great windfall.

3. The importance of PCI compliance can’t be overstated, so use a compliant solution

In light of the mainstream data breaches you've undoubtedly heard or read about, this point can't be stressed enough.  Using a virtual gateway or an integrated processing solution has the potential to significantly increase your data security, and decrease your chance of becoming the next mainstream news story.

Important to know about PCI compliance:

• It’s easy to believe you’re invulnerable to hacks since you use a physical terminal—but, it simply isn’t true.  Hacking into phone lines isn’t terribly difficult; an entire subculture of phreakers could attest to that in the 1980s. 
• Using a virtual terminal secures your data, and, using a tokenized data solution makes the data even safer than with a conventional virtual terminal.
• Solutions like these are in high demand given the past few years—and, contrary to what you might believe, these solutions are usually available at no additional cost, as modern processors have adopted PCI compliance as a standard.

The beginning of something great

When something dies, something invariably takes its place, and we’re witnessing the implementation of some really cool payment processing options.  (I don't know about you, but I really like it when I can get a machine or a computer program to do instantly the work I would have spent 30 minutes doing, all while offering me a higher standard of data protection.)  Request a virtual terminal demo from the merchant services provider of your choice, and talk to several companies about what new MOTO credit card processing options will do for you.  I think if you give these options a chance, you’ll be pleasantly surprised at how much your business is improved.

Until next time,

Jeremy

2014: the year of MEGA breaches! Who was the biggest turkey?!