Five Essential Tips for Small Business Data Security

05/13/2014 10:00 am ET

It's National Small Business Week. While this observance recognizes small business success, it also provides a reminder of how important small businesses are to the economy. To continue to have a major footprint on commerce, small businesses must operate in ways that make customers feel welcome, personally catered to and safe. While marketing and promotion strategies can accomplish the first two, are small businesses really doing enough to protect their customers' data and reassure them that their personal information is safe?

Given the increasing frequency and sophistication of cyber attacks in today's world, it is more important than ever for small businesses to understand the costly effects of a data breach and develop an approach to mitigate the risks. The cost of a data breach for a small merchant can be catastrophic. The lost business and resulting liability from such an event can create significant financial losses, but the damaged reputation could be even more difficult, if not impossible, to recover from at all.

A recent study from Ponemon Institute shows that 90 percent of data breaches impact small merchants. Given that payment data is the target for 65 percent of breaches, small business owners should be concerned by the potential vulnerability of sensitive payment data used to process transactions every day, in multiple ways -- in person, online and even via mobile device.

Small businesses can protect their customers and themselves, even though there is no guarantee of complete immunity to the threat. By staying educated and understanding solutions and best practices that are available, small businesses can reduce the risk of a data breach with cost-effective options. Here are five essential steps to take:

  • Ensure PCI compliance: PCI compliance is the standard, basic required level of protection. Non-compliance is not an option if small businesses want to continue to accept the major credit and debit cards for their customers' convenience. More importantly, adherence to the recommended security guidelines is an ongoing process designed to minimize the risk of a data breach. The PCI DSS continues to evolve to guide retailers in putting in place the most appropriate measures to protect their businesses against the evolving threat landscape. But PCI compliance is only the beginning.
  • Update POS systems: As more markets move towards EMV, which is the technical standard that ensures chip-based payment cards and terminals are compatible, a multitude of devices on the market provides choices for upgrading or replacing POS systems. A POS device that is compatible with EMV technology can read cards that contain embedded microprocessors, or chips that interact with the device. Smart chips enable more robust cardholder verification to protect against consumer-level fraud for EMV transactions. EMV helps prevent use of stolen cards. Businesses of all sizes can't afford not to take this step.
  • Move to the cloud: The newest POS and management systems not only integrate multiple business functions, but they store data in the cloud. The cloud is both more convenient and can be more secure than earlier data storage methods -- business owners can access data from anywhere at any time, and risk of a breach is lessened when using reputable providers because of their scaled investment in security. Plus, business owners have access to data backup, which is critical should the business experience a disaster.
  • Layer with encryption and tokenization: By layering encryption and tokenization with EMV and POS compatible systems, merchants can minimize security weaknesses and address authorization vulnerabilities. There are two points in the transaction process where data is most vulnerable: pre- and post-authorization. Encryption and tokenization protect the cardholder data once the payment method and consumer are validated. Further, encrypted and tokenized data is of no value to cyber-criminals. It is just a meaningless, unusable string of characters.
  • Seek out a trusted advisor: Small business owners need a trusted advisor who can help them understand their data security responsibilities, review available solutions and then implement a plan to ensure long-term business protection. Business owners are not alone in protecting their customers' data. When working with a payment technology firm, be sure the firm places a high priority on data security, can offer guidance and provide the solutions to mitigate the risk.

Small businesses do have access to world-class solutions that can help them with the responsibility for protecting customers, their business reputation and business sustainability. Those that implement multiple layers of safety measures will be better able to reduce risk and fraud, which is essential to the success of their entire business -- and our economy.