Merchant Services: Making POS Security a Priority

A recent national news story really drove home the important message that no business is safe from hackers and identity thieves, and that all businesses need to make point-of-sale (POS) security a top priority. Luckily, there are merchant services available to get the job done.

From 2008 to 2011, Romanian hackers allegedly perpetrated a multimillion-dollar cybercrime against hundreds of small retailers – including more than 150 Subway restaurant franchises – that racked up more than $3 million in fraudulent charges. According to the indictment filed in U.S. District Court in New Hampshire, the thieves victimized over 80,000 people from POS systems by hacking into checkout terminals and implanting malware on the machines that allowed them to capture the cardholders’ personal and account information. After dumping the stolen data on several different sites, they transferred it to other sites where they could share it with computers they controlled. The identity thieves used some of the information to create fraudulent credit cards to make unauthorized charges. The rest of the stolen data was sold to other criminals in cyberspace.

The four defendants – three of whom are in custody – have been charged with numerous counts of fraud, and they each face dozens of years in prison if they are convicted and maximum sentences are imposed.

According to the Federal Trade Commission, the identities of as many as 9 million Americans are stolen each year. Two of the most common ways that identity thieves obtain the information are by illegally gaining access to and tampering with information in a computer system (hacking) and by payment processing agent  stealing credit or debit card numbers using a storage device when processing a card (skimming). Merchants who accept credit cards need to be aware of both techniques and be vigilant against them.

One way to do so is to make sure their credit card processing systems are PCI compliant; that is, that they adhere to strict requirements issued by the Payment Card Industry Security Standards Council. Reputable merchant services providers usually provide a PCI compliance program to their member merchants, and some offer a security program that helps cover expenses arising from a data breach.

Investigators in the Subway hacking determined that while the parent company had provided the necessary security requirements, some of the franchisees disregarded the standards and left themselves wide open to the identity thieves. “These people weren’t thinking about point of sale security – they were just thinking about making a sandwich,” commented one audit and compliance manager for an IT security firm.

Protecting all computers from hackers is important, but protecting a POS system is crucial to your business and your customers’ welfare as well. PCI compliance must be a primary focus of all merchants, regardless of the size of their operation. As this hacking incident underscores, identity thieves often target small businesses because they believe they are less likely to be security conscious. In other words, the smaller the business, the bigger the target.