News about cyber attacks impacting major brands and millions of customers have become regular headlines. However, far less attention is paid to small and medium-sized businesses. While the news that a local brand or boutique suffered a data breach may not be as eye-catching, these types of cyber attacks are more common, according to Visa, Inc.
In fact, more than 90 percent of cyber attacks investigated by Visainvolve payment networks for small businesses where personal customer data may have been stolen. But SMB merchants often lack the resources and staff to address these issues as quickly as a large enterprise. 1to1 Media spoke with Eduardo Perez, senior vice president of payment system risk at Visa, about what small businesses can do to protect themselves from cyber criminals.
1to1 Media: How do cyber attacks on SMBs compare with those aimed at large enterprises? Do they occur as frequently as the ones we hear about in the news?
Eduardo Perez: There are more headlines about larger companies with recognizable brand names getting hit by cyber attacks, but the vast majority of the compromises that we see in the payments system happen to small and medium-sized merchants. There's a good study from Symantec that reports 3 out of 5 cyberattacks in 2014 were targeted at SMBs. We've found similar results. From our perspective, more than 95 percent of attacks involved SMBs.
What are the cyber attack tactics that are being used on SMBs?
EP: Something that we've seen affect small and medium-sized businesses in particular is data breaches from weaknesses in point-of-sale (POS) integrators and resellers. These vendors support small merchants with integrated payment applications that they install and maintain with remote access into the merchant's payment environment. An integrated POS system may also allow the merchant to integrate things like a menu or accounting practices and other applications to leverage the information that they want to link to the sale of their goods and services.
The problem is that a number of POS integrators and resellers use default and static passwords across the merchants that they're supporting. So hackers have been compromising the POS integrator's username and password to install malware that allows them to collect payment data that they can sell on the black market or create duplicate cards.
What should merchants and vendors do to minimize their exposure to these attacks?
EP: A couple things. Number one, the retail industry is moving to adopt the EMV (Europay, MasterCard and Visa) chip card technology and so we're making the point that merchants of all sizes should look to deploy EMV chip terminals. We encourage merchants to also ensure that their POS integrator or reseller has been qualified by the PCI Security Standards Council. The Council also runs a program called the Qualified Integrator and Reseller program, which focuses on ensuring that vendors receive proper training on the latest security measures.
Also, it's important to ensure that a merchant's partner has a strongly protected remote access when they enter a merchant's POS data environment. One of the things we've noticed is that in a number of cases, POS resellers tend to use weak remote access to access the merchant's card of payment data environment, which ultimately allows hackers to obtain that integrator's static password and username to access the merchant's systems.
How are you educating merchants about strengthening their security methods?
EP:We've been communicating with merchants and industry groups like the National Restaurant Group and partners to put the information out there and help merchants take steps to protect themselves. We also have a Cardholder Information Security Program that has alerts about common vulnerabilities and other information that supports merchants.
How are you measuring the results of these efforts?
EP:We know by virtue of getting the word out that we're seeing more POS integrators go through the PCI Security Standard Council's program and we continue to work with industry groups that have relationships with POS integrators like the Retail Service Provider Association to get the message out about proactive proper security hygiene.
Are you seeing an increase in attacks aimed at merchants that offer contactless payments like Apple Pay?
EP:First, I should talk about the security technology. Apple Pay is one of the most exciting technologies that we've put on the marketplace. That technology leverages EMV chip technology and tokenization, which we consider to be two powerful tools to help better protect cardholder data. EMV chip technology generates a unique code for each transaction, and it makes it nearly impossible for fraudsters to obtain that data. And tokenization in the case of Apple Pay replaces your card number with a Visa-provisioned token (other card brands provide their own tokens).
So if the data were compromised, the fraudsters would obtain an EMV chip transaction with a tokenized primary account number, making the data useless to use in another context, such as to create a counterfeit card. Because of that, we don't typically see attacks that try to use this information to perpetuate fraud. Tokenization and the chip combo is also being used in other platforms that are being brought to market like Samsung Pay and Android Pay. If your data is compromised, Visa offers resources on its website and lots of good consumer and business information can also be found about the Visa chip technology here.
But merchants should always remain vigilant and report suspicious activity to their fraud department or authorization center. Any system that contains valuable information will be a target and so merchants must do everything they can to secure their environment and any data systems about their customers.