Lessons from Michael’s data breach

Patrick Turiano |

May 28, 2011

The Michael’s data breach tells us that the hackers are alive and well and will continue to find creative ways to steal card data.  But smaller merchants shouldn’t be lulled into a sense of safety just because the most recent breaches hit large and mega brands.

According to a recent survey, 90 percent of credit card breaches occur at the small merchant level. Additionally the survey found, it takes just 12 hours for a small merchant to complete PCI compliance certification. Implementing policies and procedures, are the easy, low-cost components that can and must be done to achieve compliance.

Time and money, most people will argue they don’t have enough of either.  But for small merchants, those are the two factors cited most often that keep these merchants from securing compliance with Payment Card Industry Data Security Standards (PCI DSS).

The survey noted that most small merchants don’t proactively aim to meet compliance standards because they think it is the role of their acquirer or ISO to do this for them. That is simply not the truth. The truth is complying with security standards is everyone’s job. Smaller merchants, according to the survey, assume they aren’t equipped with the proper resources to gain compliance, or were not aware of the regulations.

The survey also found that food and beverage and retail were the two groups that counted for three-quarters of credit card breaches, and of that 75 percent, 85 percent were small merchants. This is due in large part because they make up large portions of the portfolios.

Securing cardholder data is everyone’s business. POS developers should continuously ensure their systems are compliant, either by completing a PA-DSS audit or by integrating with solutions that take their systems out-of-scope;  merchants should always be aware of card data security and follow through with in-house security policies and following PCI compliance requirements.