This blogpost was originally posted on Instabill’s satellite website, Instabill.info, on June 12, 2015 with the help of Ed Black, a former PCI Director at Comodo, now a Territory Manager at Heartland Payment Systems.
Ed Black says the worst thing a small business owner can believe is that his/her company is safe from hackers, simply because hackers don’t target small businesses.
As the former PCI Director at Comodo, an internet security provider in Clifton, NJ (currently a Territory Manager at Heartland Payment Systems), he has news for anyone who believes as much: It’s not only the Targets, Home Depots and PF Changs of the world that are in the crosshairs. Small business hacking is unfortunately just as common.
A June 2015 news item in The New York Times revealed that half of the nearly 700 small businesses surveyed by the National Small Business Association reported infiltration of its data systems, up 44 percent from a year ago. More than two-thirds of those business were hit twice.
Why are Hackers Targeting Small Businesses?
Mr. Black offered a disturbing figure when he used to train small businesses on how to use his former company’s PCI DSS program: 85 percent of all data breaches occur in small businesses, he says. More disturbing, he added, is the average exposure of a breach: 197 days. “How many unique credit/debit cards are captured during that time?” he asks incredulously.
Small businesses are attractive to hackers because most have bare-bones security measures easily penetrable. Hackers then intercept credit card data maintained by the business – usually a retailer or restaurant – and quickly sell the information on rogue websites such as rescator.cc, a well-known site selling hacked credit card numbers.
“Most merchants don’t understand what PCI compliance is supposed to do,” Mr. Black said. “They’re not experts in IT. It’s intimidating. Merchants wrap themselves in excuses such as, ‘We’re too small, it won’t happen to us. They’re only looking for the big guys …Target, Home Depot and the IRS,’ These are the objections we need to help them overcome.”
Who Is Behind Small Business Hacking?
At the 2014 Merchant Payments Ecosystem trade show in Berlin, this very question was asked during a seminar. The response from a panelist was immediate: Eastern Europeans, mostly male, some as young as late teens. The Times article even makes reference to such.
Hackers Will Focus on E-Commerce
As the US migrates to EMV chip-enabled credit cards beginning Oct. 1, 2015, hackers will likely turn to e-commerce websites, as they did in Europe and Canada. Mr. Black has seen e-commerce merchants begin to take on more aggressive defenses to ward off hackers.
“E-Commerce merchants really need to pay attention. There are two significant events this year that will greatly affect the way they do business,” he said. “PCI DSS 3.1 goes into effect at the end of this month, and the EMV liability shift goes into effect in October this year. Based on experiences of other countries, we know this means hackers will turn their attention to card-not-present fraud attempts.”