Data Security for FECs
By Brandon Willey, CEO, FetchRev
efore we dive into the subject of data security, we should take a moment to understand what we are protecting. There are many pieces of information important to a business such as accounting data, business plans, pricing and packaging to spotlight a few, and while in the hands of your competitors these particulars can cause significant damage to your business, the primary information that your everyday malicious hacker is interested in—is your customers’ personal and payment information.
mention, it’ll now be your responsibility as a business owner to properly notify your customers of the breach and possibly pay for credit monitoring for each person on the list.
At this point, you’re probably thinking, “Okay, I understand why payment information is important, but I’m a family entertainment center, why would my customer data be of any interest to a hacker?” There a variety of reasons. First and foremost, you’ve likely accumulated a healthy list of customer names and email addresses through in-store and online means of data collection. This data may even contain names and dates of birth for managing your birthday campaigns and rewards programs. Do we have your attention yet?
Protect and Prevent
Fear Factor Picture the following scenario if you will: an outsider deceptively acquires your customer list which on its own seems fairly innocuous, but in the hands of the wrong people this information could be used for social engineering, identity theft or even just sold to spammers. Out of all these, social engineering should be what really keeps you up at night. Reputation notwithstanding, most people think of hackers as people who sit in a dark room bathed in the blue light of screens, surrounded by gratuitous amounts of energy drink cans and empty pizza boxes while they key some magical cryptic commands accessing the dark web—and your bank accounts. For someone on a stolen customer list, the reality is somewhat different. Instead of a light-deficient space, it’s much more likely to be a call center where an employee of a hacking or phishing organization is crafting an email personally addressed to one of your customers, generously passing on the news that they’re owed an outstanding tax refund. As they contemplate vacation plans, a call is sent their way from someone claiming to be the IRS, asking to confirm their social security number, address and obtain either banking details or a credit card to process said refund. Unwittingly, they become a participant in their own undoing. Within days they find themselves the confused owners of ten extra credit cards, a couple of new loans and a freshly plummeted credit score.
It’s All Coming Back to You Now
If payment data was included and you were not PCI DSS compliant, your bank is at risk of being fined by the credit card companies, who will then pass this down to you, most likely with a few additional fines of their own for good measure.
Ultimately, this all leads to lost revenue, reputation damage, high clean-up costs, and major amounts of out-of-pocket cash dropped on migraine pills. So with all this doom and gloom, is there something you can do to protect yourself at a reasonable cost? The answer is a resounding yes, and it all starts with physical security. Keep areas inaccessible to the public locked at all times. Implement a clean desk policy and securely store away documents that contain customer details, only allowing access to areas that hold sensitive data to employees with permission to access it. For collecting data, make sure that you’re only acquiring pertinent information and never use a pen and pad to write down credit card numbers.
A Safer Tomorrow Let’s transition back to technology. If you store your technology solution on the premises, you may believe you are safer, however that is usually not the case for a myriad of reasons. Almost without exception, you are much more secure choosing cloud-hosted solutions from reputable suppliers. Most suppliers place a priority on data security, and are very likely utilizing trusted cloud providers such as Amazon, Microsoft or Google who are among the best in the business. Their servers will always be up to date with the latest security patches and they all feature data centers that are extremely well protected. If you are currently processing payments, you should make sure that your chosen POS solution or marketing platform conforms to PCIDSS standards. Here at FetchRev, we use secure data centers to protect your customer information and we only use fully PCI-DSS compliant payment providers. A little research upfront when choosing your providers and software platforms can minimize your liability and risk while providing great tools to help grow your business.
Now when this customer data breach is traced back to your business, there are a number of unfortunate events that may happen. You’ll need to pay for a forensic investigation to ascertain how the data was stolen, and you may also have to pay a fine to the state or federal authorities. Not to 24 / Rinksider - The Roller Skating Business Magazine | March/April 2018 www.rollerskating.org