Security cameras and lighting installed-check. State-of-the-art locks and alarms in place-check. Your self-storage facility is up-to-date security-wise, but your credit card processing protections may leave a gaping hole for cyber-thieves to crawl through.
And crawl through, they do. According to a May 2012 Retail Info Systems News article, “Customer Records Targeted in 89% of 2011 Data Breaches…Forget cash, jewels, precious metals or fine art masterpieces. The most attractive ‘loot’ for today’s thieves is customer data – at least for the cyber-criminals. Customer records – including credit card numbers, Personally Identifiable Information (PII) and e-mail addresses – were the target in 89% of investigated data breaches in 2011, according to the Trustwave 2012 Global Security Report. E-mail addresses can be used for simple phishing or more sophisticated, targeted attacks.
“‘Information systems involved with payment processing continue to be the Achilles’ heel of the payment industry and represent the easiest way for criminals to obtain payment card magnetic stripe data en masse,’ according to the annual report, which is based on Trustwave’s analysis of investigations, research and client engagements conducted throughout 2011. ‘Once magnetic stripe data is obtained, attackers are able to perform fraud by encoding stolen data onto legitimate or counterfeit cards, subsequently purchasing goods and services.’
“The report adds that point-to-point encryption (P2PE) solutions, ‘while not bulletproof, have the potential to lower the risk of POS system breaches.’ Properly configured P2PE technology can ‘dramatically reduce the currently broad attack surface of payment systems, whether data is sent between merchants and their payment processing banks, or via the merchant’s own internal systems.’”
Besides loss of reputation and business, data breaches can be extremely expensive. According to Bruce Speegle, senior account manager for SG-Associates LLC, “The minimum fine in a data breach can be $10,000 per customer. That can be a ton of money.”
What can a self-storage owner do to lower risk of a data breach? There are several tiers to consider:
- Seek out a competent third party to make sure credit card information is held secure. This can be a place to start, but certainly isn’t the place to stop. Notes the Retail Info Systems article, “In 76% of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.”
- Ensure compliance with Payment Card Industry Data Security Standards (PCI DSS). Retail Info Systems reports in a PCI compliance article: “…64% of PCI DSS compliant organizations reported that they did not suffer any type of data breach in 2010, while only 38% of non-compliant organizations reported that they were not involved in any type of breach during the same timeframe. The statistics are clear: PCI compliant organizations better protect their data and have less of a chance of getting breached, when compared to non-compliant organizations.”However, the article adds, “In order to meet PCI compliance requirements, merchants must regularly conduct costly audits to prove that they are in fact meeting PCI DSS and implementing firm security measures to protect sensitive data.” So, it’s not cheap or easy.
- Stay current on established protection protocols such as encryption, and newer technologies. Retail Info Systems addresses tokenization, noting, “Tokenization is the process of protecting sensitive data by replacing it with alias values or tokens that are meaningless to someone who gains unauthorized access to the data. Tokens are characterized by randomness, so even if a thief obtains a token, it has no value — unlike encryption which is based on a mathematical formula…merchants are mostly dealing with tokens as opposed to the original data and primary account numbers (PAN) are only required at authorization and settlement. This limits retailer exposure to sensitive data, reducing PCI scope, and lowers PCI compliance costs because tokenization does not require annual reencryption that PCI DSS requires with pure encryption strategies.”According to the article, a tokenization survey showed that it reduced PCI audit time by 50%, lowered maintenance cost, and heightened security.
- Recheck everything with someone who knows the industry and possibly has some skin in the game. Speegle sometimes plays this role for clients, noting that it’s in his best interest to make sure his clients are compliant.