February 22, 2010

Nightmare on Main Street - How a single hacker can end your business forever

by Steve Bowers

Have you ever wished you “could have” gazed into a crystal ball and seen a disastrous event before it occurred? With such knowledge you could have avoided that car accident, fire, missed opportunity, or…fill-in-the-blank.

If your business stores client or customer credit card data electronically, consider this your crystal-ball-warning. There could easily be a hacker in Russia, China, or your neighborhood who is trying to breach your systems right now.

In 2009 the estimated cost of identity theft to companies and consumers topped $54 Billion. Stopping identity theft is a major priority for credit card companies. Several years ago, the major card companies banded together to enact something called “PCI Compliance”. This cryptic and scary term is the name for an even scarier set of security standards that businesses of any size must follow if they touch credit card data in any way. Card companies use this compliance standard to judge the security of your business as it relates to their credit cards.

Here’s the nightmare story. The ACME Widget Company (fake name) was a solid business producing some of the finest widgets in the country. The company was financially strong and had been a family owned enterprise since grandpa Acme started it after the war. Because ACME was an older company, its technology was somewhat “dated”. They had a good client base and often had recurring widget orders. This is why they made the fatal mistake of storing card data on their internal system. Acme also had a simple web site on which customers could place orders.

One dark and stormy night, a hacker compromised ACME’s system and obtained all of their customers’ credit card data. Eventually, the credit card companies traced the breach back to ACME. Based on the PCI Compliance standards, they fined ACME $50,000 per instance of stolen information. Unable to withstand the financial devastation wrought by these fines, the company was forced to close. And no one lived happily ever after (except the hacker).

Here are some tips you can use to avoid ACME’s fate:

· Don’t Touch It! - Never store customer credit card data in your own systems if you can avoid it. If you must store it, use an established and reputable card processing company to store the data for you. These card processors are experts at PCI Compliance and help shield you from liability.

· Don’t bargain shop your hosting! – If your systems are hosted on a server owned by a “guy you know” and his server resides in the data center known as: “his basement”... you are at risk. A reputable host will use a data center with multiple layers of security and which has been certified by various security authorities. I recommend a data center with a “SAS 70” certification at a minimum.

· Do your homework! – Learn the basics of PCI Compliance. Credit card companies will not allow you to use ignorance as an excuse (neither will the government). Google the term “PCI Compliance” to find a large list of varying resources.