Understanding The Three Most Common Types Of Data Breaches: Physical, Electronic & Skimming
The article content is provided with our sponsor, Bank of America Merchant Services.
To underline the importance of small business data security, here’s an overview of the most common types of data breaches and the industries that tend to be most affected by them.
As it relates to merchants, Bank of America Merchant Services defines a physical breach as “the physical theft of documents or equipment containing cardholder account data.” A physical breach scenario would involve thieves breaking into your establishment and stealing Point of Sale (POS) terminals, laptops or even hard copies of merchant receipts with the intent of acquiring credit card numbers and information. It could also involve a hacker calling your business posing as a computer technician and instructing an employee to reprogram a terminal so that it could be accessed externally. While the physical theft of customer data only represents 17 percent of all data breaches, the California Dental Association¹ reports that they represent more than half the breaches in the health care field. Best practices to prevent physical data breaches include adhering to procedures outlined by the Payment Card Industry Data Security Standards (PCI DSS), establishing a data handling policy that all of your employees must follow, and securing all devices and files that contain payment card data in safes or locked cabinets.
Bank of America Merchant Services defines an electronic data breach as “the unauthorized access or deliberate attack on a system or network environment where cardholder data is processed, stored or transmitted.” Recent high-profile instances of electronic data breaches include the hacking of a big box retailer that led to thieves gaining access to payment card data belonging to 40 million people, and a fast food restaurant franchise that had the POS systems at 150 of its stores hacked, leading to millions of dollars in unauthorized transactions. According to a report by Gemalto², digital security company, retail electronic breaches accounted for “55 percent of all the records involved in data breaches” in 2014. Since the above listed retail breaches were caused by malware hacks, it’s highly recommended that merchants follow the PCI DSS regarding the encryption of payment card data. Additional best practices include using only strong passwords with your payment processing systems, and maintaining up-to-date anti-malware software on all your computer systems, including any mobile devices that use your company’s secured Wi-Fi®.
Bank of America Merchant Services describes skimming as “the capture and recording of card magnetic stripe data using an external device which is sometimes installed on a merchant’s Point of Sale System.” According to Verizon’s 2015 Data Breach Investigations Report³, skimming only accounts of 3.1 percent of U.S. data breaches. As gas station operators do not have a direct line of sight of all of their pumps, retailers in the petroleum industry are often targeted by fraudsters. For example, in April 2015, it was discovered that 80 different Florida gas stations had skimmers installed on their pumps. To avoid skimming breaches, petroleum retailers should employ security procedures that involve monitoring their pumps and regular inspections of their POS terminals.
The EMV®⁴ Changeover
A recent change in how payment cards are processed allows small business owners to mitigate their risk of being defrauded. EMV is a secure payment card-processing standard that has been used by most international markets for years now. The major card brands have implemented EMV (EuroPay, MasterCard® and Visa®); known as “chip” card technology in the U.S. EMV chip card technology heightens security through the use of stronger authentication that reduces the value of stolen data by helping prevent criminals from successfully completing face to face fraudulent card transactions.
Merchants that are not EMV enabled as of October 1, 2015, may be liable for potential counterfeit and transactions using lost or stolen cards. Liability will fall on the entity that has not upgraded to chip, whether it’s the issuer or the merchant/retailer. If both are EMV enabled, then the issuer will be responsible, in most cases.
Data Breaches and EMV
For retailers to become EMV compliant, they need to ensure their Point-of-sale (POS) system can accept chip cards. EMV technology is stronger than traditional magnetic cards because thieves who capture credit card information via physical, electronic and skimming data breaches won’t be able to create counterfeit payment cards because they can’t replicate dynamic smart chip data. As a comprehensive EMV white paper prepared by Bank of America Merchant Services points out, when the EMV standard was adopted in the United Kingdom, POS fraud dropped by 34 percent⁵. With the opportunity to make such a significant decrease in fraud, data security conscious small business owners should consider becoming EMV enabled.
To learn more about data breaches, EMV and how it affects your business, visit http://merch.bankofamerica.com or contact a Bank of America Merchant Services business consultant.
¹California Dental Association, http://www.cda.org/news-events/physical-theft-most-common-data-breach-in-practices
³ Verizon’s 2015 Data Breach Investigations Report; http://www.verizonenterprise.com/DBIR/2015
⁴EMV is a registered trademark in the U.S. and other countries, and an unregistered trademark elsewhere. EMV® is a registered trademark owned by EMVCo LLC.
⁵Why You Should Adopt EMV® Chip Card Technology; Bank of America Merchant Services, Oct 2015