By John Stephens
For the Oregon Beer Growler
It still boggles my mind that we ever used personal checks to pay for business transactions. “Here, let me give you this piece of paper with my name, address, phone, bank and account information already on it, as well as my signature. What’s that? You want my driver’s license number too, just to prevent fraud? Sure, here you go.”
The only thing we didn’t hand over was our Social Security Number — and I bet many would have written that out as well for the vendor, if asked! We were trusting that the vendor (and all the hands our check would pass through) would protect our information and use it only for the transaction we agreed upon.
Thank goodness we now have credit and debit cards that make it easier, faster and safer to do business … or do they? As digital security professionals we hear it all the time, “I only process a few dozen/a hundred transactions a year, therefore I: a.) don’t have to worry about payment card industry (PCI) compliance, b.) don’t have much, if any risk, and c.) am not a target for the “bad guys.” Wrong, wrong and WRONG.
Even a small business owner has to comply with PCI, and the easiest first step to protecting yourself is to shift your risk to a third party.
If you truly only perform a small number of transactions per year, look at using services that provide a device that connects to your smartphone or tablet such as PayPal Here, Square or Intuit’s GoPayment (which ties into QuickBooks). For greater volume, you’ll want to look at a hard-wired, dial-up terminal that requires an old-fashioned land line.
If you use a computer for your Point-of-Sale system, beware. You need to ensure that you’re encrypting transactions, not storing credit card data and not relying on a Wi-Fi network where other devices can “see” your computer. Even more dangerous is using a public or open Wi-Fi network for your connectivity; just don’t do it — it’s the equivalent of writing your information on a Post-it and sticking it on the community board hoping no one will notice the private details you are sharing.
Final “pro tip” for small businesses that process credit cards: At some point you have answered, or will be asked to answer, a Self-Assessment Questionnaire (SAQ) from your merchant services provider. Be sure you know and understand what you are answering “Yes” or “No” to, instead of just blindly going through and ticking off boxes as if you were taking an honors chemistry exam that you didn’t study for. Sure it gets you through that boring paperwork, but the problem is when — and if — a data incident or breach happens, your merchant will review that document and happily pass on all the risk (and costs) to you when they see you answered incorrectly.
P.S. Don’t think that purchasing cyber-liability insurance is a “get out of summer-school free” card. Insurance companies will also look to see what steps you have/haven’t done to protect the data and will deny your claim faster than a prom queen shooting down the AV Club president’s request for a date.
John Stephens is managing partner of Luminant Digital Security.