When three women picked up their lunch bill of about $44 at a local Houston restaurant, they had no idea it would end up costing them more than $2,500. These women have since accused a waitress of stealing their credit card numbers and going on a spending spree—buying a computer desk, a forty-two-inch LCD TV, and video games with the stolen numbers.
“The bank said the magnetic striping from my card was stolen,” one of the women said. “They took my name off but used my number.”
The women said they remembered the waitress seemed nervous and was full of excuses about taking so long to process their cards. “She had the tickets in her hands. She was sorting through them, then said she messed up the tickets and was gone for a long time,” recalls Johanna Marino, one of the victims.
Unfortunately, this particular incident is not that unusual. Retailers are increasing their dependence on information-processing systems, while thieves are becoming increasingly sophisticated at stealing identities. This combination makes securing a company’s information systems even more critical in today’s market.
Particularly small businesses and organizations are facing mounting pressure—from the government and consumers—to increase their security. For entrepreneurs this could be just the niche they’ve been looking for.
AN EMERGING MARKET
Government regulations regarding information security and privacy legislation have mandated that all organizations create systems to protect their information systems and the privacy of their patrons. One example is the realization by the Credit Card Associations (e.g., Visa, MasterCard) that their brand is hostage to the mistakes of every merchant who accepts their credit cards. The imposition of the Payment Card Industry (PCI) security requirements on all merchants who store, transmit, or process credit card information is an example of how security now has a tangible impact on merchants throughout the world.
Many consumers are not aware of these government regulations, but even so they are more demanding of their merchants in terms of security than ever before. For example, London-based TNS PLC, a market research company, found that 75 percent of online shoppers surveyed say they have abandoned a retail site at one time or another because of security concerns. A Javelin Strategy & Research study noted that 77 percent of 2,750 consumers polled said they would stop shopping at stores that suffer data breaches, whereas “85 percent will reward merchants who are perceived as security leaders with increased purchases.”
The Ponemon Institute, an independent research organization, also reported that, of those merchants who suffered a data breach, 74 percent reported a loss of customers, 59 percent faced potential litigation, 33 percent faced potential fines, and 32 percent experienced a decline in share value. Such surveys note that today’s retailers must be more adept at maintaining security or they will lose the goodwill of their customers. These conditions make it even more vital for businesses to ensure they are PCI compliant.
Until recently, security compliance issues were almost exclusively the concern of large enterprises. However, with the advent of increased risks and regulations, smaller companies are being forced to worry about compliance and, unfortunately, few have the in-house expertise or the financial resources to solve their security problems. But many of their worries have been eased, thanks to a growing number of new firms providing a wide array of options.
SPECIFIC NEEDS AND CHALLENGES
Here’s how two businesses could be affected by PCI standards:
Merchant
The owner of a restaurant needs to accept credit card transactions. His bank has informed him that he needs to comply with PCI standards, but some standards are highly technical, and he does not understand them. Of the standards he does understand, he knows that the diner is not meeting a number of them. Until now he has been ignoring the issue, hoping it will go away, but his bank has now informed him that if he does not rectify the situation, he will lose his card-processing privileges, which would probably drive him out of business.
Furthermore, he has been placed on a list of suspect merchants, effectively preventing the transfer of his credit card business to another bank. The owner of the restaurant has called a few security vendors and found that even a simple set of solutions will cost several thousand dollars. He cannot afford this, but cannot afford the alternative—bankruptcy—either.
Bank
A bank recognizes that it is at serious risk of fines and penalties because the bulk of its merchant population is not in compliance with PCI security standards. Not only is it at risk of financial penalties, but it is also unable to meet its monthly compliance-reporting burden to the card associations. While the bank has encouraged its merchants to comply, the costs to the merchants of doing so are prohibitive. A compliance program that the bank has tried to initiate with merchants has had little impact.
CAPITALIZING ON THE OPPORTUNITY
Panoptic Security, a start-up company founded in 2007, is one of the firms developing new approaches to help small merchants bridge the gap between their security needs and the resources required to meet those needs by providing merchants with the security resources they need at a price they can afford.
The company’s founders, Tim Cranny, Michael Wright, Peter Boucher, and Jim Kilgour—all experts in the security industry—recognized that most small business owners don’t have the means to assess their security needs and come up with solutions on their own. Hence, the founders developed an “expert systems” model to assess a merchant’s security needs.
Panoptic allows merchants to assess their security needs online for free. The company then provides low-cost solutions to bring the merchants into security compliance. The company also partners with other security firms to provide prospective clients with a full range of security services. Panoptic helps merchants, banks, and independent service organizations (ISOs) become security compliant by helping them understand what they need to do and then helping them do it for a small monthly fee. By recognizing this opportunity to help other companies, Panoptic has brought benefits to itself as well as to many other small businesses that needed help becoming PCI compliant.
Several other companies have been able to recognize this need for increased security and have risen to the challenge of satisfying both traditional and online shoppers. Qualys1 and Comodo HackerGuardian,2 among others, also offer security services. The VeriShield System by VeriFone3 and Magnesafe by MagTek4 are devices that encrypt credit card information as soon as a cashier or a customer slides it through the pin pad at the register, making it impossible for hackers to read the information, even if they were adept enough to get into the system. MAXX Business Solutions offers merchants a free upgrade on credit card processing equipment to help their customers feel safe with up-to-date technology that ensures maximum protection.5
Another weakness in security involves email. Information security and compliance management firm Trustwave considers email to be a primary and secondary attack vector for fraud schemes. Trustwave’s mailMAX product is a robust email filter that protects end users from invasive and destructive phishing and pharming scams.6
A recent case study by PC Universe shows how companies who help other businesses with security issues can benefit everyone involved.
Hacker Safe Search Feed is a service that automatically integrates the Hacker Safe seal into comparison-shopping listings. In the first month after implementing Hacker Safe Search Feed on PriceGrabber.com, revenue on traffic from that site increased 109 percent for PC Universe Inc., while average order value increased more than 22 percent. During the same time period, revenue on traffic from comparison sites without Hacker Safe Search Feed dropped 50 percent.
“Hacker Safe drives more clicks from comparison shopping sites when we’re looking for ready-to-buy consumers, and it helps us convert better after shoppers arrive on our landing pages,” says Patrick Colletta, PC Universe director of e-commerce. PC Universe first tested Hacker Safe on its own site, in which half the visitors saw the Hacker Safe seal and half did not. During that test 7.3 percent more orders came from Hacker Safe shoppers than from the control group.
Even established companies are getting in on the act by developing new tactics to help other businesses increase security. For example, SonicWALL, founded in 1991, provides internet security solutions and appliances to businesses around the world. The company recently announced that it was helping merchants meet broadband security requirements by installing firewall devices and wireless LAN security products that protect customers’ information as it is sent through cyberspace.7
As a result of the increased need for security, many firms are rising to offer innovative solutions. This should help customers breathe easier as they type in their credit card numbers or hand their cards to cashiers. Merchants who act quickly to implement security measures may subsequently avoid fines and penalties while building revenue and enhancing customer trust.
CONCLUSION
By capitalizing on the market to help proprietors become PCI compliant and more secure, many new companies have found a profitable niche. Seizing such opportunities is what entrepreneurship is all about—finding a need and filling it. The benefits are tangible—especially if you want to avoid a $2,500 lunch tab.
FINES AND PENALTIES FOR NONCOMPLIANCE WITH SECURITY STANDARDS
The following fines may be imposed upon merchants that do not comply with PCI Data Security Standards, Visa’s Cardholder Information Security Program (CISP), or MasterCard’s Secure Data Protection program (SDP).
VISA
Fines for noncompliance with CISP
- First violation—$50,000 fine
- Second violation—$100,000 fine
- Third violation—Discretion of Visa usa
MASTERCARD
Fines for noncompliance with SDP
- First violation—Warning letter and up to $2,000 fine
- Second violation—Up to $2,000 fine
- Third violation—Up to $25,000 or merchant termination or both
COMPROMISED MERCHANT LIABILITIES
If a merchant is compromised, it may be subject to the following liabilities in addition to the fines associated with noncompliance:
- All fraud losses perpetrated using the account numbers associated with the compromise (from date of compromise forward)
- Cost of reissuance of cards associated with the compromise (approximately $50 per card)
- Any additional fraud prevention/detection costs incurred by credit card issuers associated with the compromise (e.g., additional monitoring)
_
Article written by W. Gibb Dyer Jr.
Illustrations by Gordon Studer
ABOUT THE AUTHOR
W. Gibb Dyer Jr. is the O. Leslie Stone Professor at the Marriott School. He earned his PhD from the Massachusetts Institute of Technology. He would like to thank the management team of Panoptic Security (www.panopticsecurity.com) for its help in preparing this article.
NOTES
- www.qualys.com
- www.hackerguardian.com
- www.verifone.com
- www.magtek.com
- www.cmscreditcards.com
- www.greensheet.com
- news.moneycentral.msn.com