February 03, 2015

Credit Card Fraud: Smaller Merchants Stand to Lose a Lot

Every time a mega breach is reported in the news it seems the focus is just on that company.

But the fall-out reaches much further than that.

Of course, mega data breaches result in hundreds of millions of exposed identities – and vulnerable consumers.

At the same time, smaller merchants can find themselves in trouble too.

In 2014, the average merchant suffered 133 successful fraudulent transactions per month, up 46% from the previous year.

Consider that the 2014 LexisNexis True Cost of Fraud Study also showed that in 2013, an average merchant lost about 68% of annual income to fraud. Merchants also incurred other losses, penalties and chargeback fees totaling $3.08 per dollar of fraud (compared to $2.79 the previous year). 

The more data breaches there are, the more all merchants are at risk of fraud – due to the volume of stolen personal information in circulation.

Here’s how a mega breach can play out and affect a small merchant. 

The Breach: Criminals use sophisticated programs to hack into merchants’ databases and steal personally identifiable information such as credit cards and debit cards. Stolen credit card numbers are often sold at illegal online black markets.

Credit Card Fraud Detection: The company detects a breach (immediately to days and even months after it has occurred) and puts a response plan in motion, including notifying the credit card company so cardholders’ cash is sealed. (However, at least one transaction is made by 70% of stolen cards, said Trend Micro executive Tom Kellerman in an online Bloomberg Business Week story.)

Credit Card Fraud Charges and Cost: The company that experienced the breach has to deal with damage done to reputation, bottom line, and share prices. Credit card owners, while not held responsible for illegal purchases, have to deal with the hassles of a breach. Small merchants may be on the hook if they mistakenly accepted stolen credit cards. If they can’t prove the ‘authenticity’ of a purchase, they have to pay a ‘charge back’ fee for letting thieves use the stolen cards. At the same time, a small business may never get paid for a product it has shipped or ‘sold’.  

To protect all size organizations from a security breach:

  • Establish a culture of security with information security policies and procedures.
  • Know your data. A Symantec report advises that protection focus on the information. “Understand where sensitive data resides and where it is flowing to help identify the best policies and procedures to protect it.”
  • Stay ahead of data security requirements. Use the latest technology protection including data loss prevention, network security, endpoint security, encryption, strong authentication, firewalls, and anti-virus software. EMV chip technology is expected to better protect credit card information at the POS.
  • Educate employees. Provide guidance on information protection, including policies and procedures for protecting sensitive data on personal and corporate devices.
  • Destroy all confidential information that is no longer needed. Partner with a shredding company and securely shred paper documents. The company should also provide E-media and hard drive destruction services.  

Security experts in this podcast provide more insights on how small businesses can protect themselves from data breaches