Locking It Up Against Customer Data Breaches
BY JEFF BRODSLY
As many of us were in Atlantic City for the Chauffeur Driven Show, some eye-opening news broke about a data breach occurring at CorporateCarOnline (CCO), a well-known reservation and software system that is used by many operators nationwide. I received text messages from five different clients, all concerned about it and wanting advice on what to do next.
The unfortunate reality is, data breach is becoming a widespread problem, and CCO is far from alone. In CCO’s case, the tabloidy nature of the hack was more interesting to most readers (VIP client notes made for salacious gossip) than the 1 million credit card numbers of celebrities and politicians stolen. Many cases are worse. The nation’s number two general merchandise retailer, Target, just announced that 40 million customer records—including credit and debit cards—were stolen during the busy Thanksgiving to Christmas holiday shopping season. That’s almost as much as all of the breaches combined in 2012.
In 2012 alone, 621 confirmed data breaches were reported in the United States, resulting in the theft of over 44 million sensitive consumer records—including millions of debit and credit card account numbers. The average organizational cost of a data breach is an astonishing $5,400,000 with a $277 average cost per stolen record. Given that the majority of chauffeured ground transportation companies rely on credit cards as a means to accept payments, this is very important to make sure you are securely accepting these cards and not exposing your company to a potential breach. (Sources: Ponemon Institute, 2013 Cost of Data Breach Study, May 2013; Verizon RISK team, 2013 Data Breach Investigation Report, April 2013; First Data Corporation.)
By no means am I a data breach or PCI compliance guru, but as the CEO of a company that (with our partners) processes well over a billion dollars in credit cards sales, I have a firm understanding and a “close to home” feeling of what could happen. Remember, it’s not just credit cards that need to be protected, but any data about a customer like his birth date or address. So just how do breaches happen? There are four main ways; however, I will only focus on the three that apply to chauffeured ground transportation.
Network Intrusion: This is when hackers misuse or break into a system with the intent of stealing data. Your data can be hacked whether it’s stored locally on your own network like with Target, or if it’s stored with a software provider like was the case with CCO. This represents the majority of fraud that takes place today. (Editor’s note: You can read more about PCI compliance in the October/November 2013 issue of Chauffeur Driven on page 82.)
Skimming: Although this is most prevalent at gas stations, ATMs, and restaurants, I wanted to point this out because I could see this as an area of weakness for operators who allow chauffeurs to process credit cards in vehicles. In this case, skimming can happen by either an employee, contractor, or fraudster adding a skimmer to the hardware (a small electronic device) to swipe and store card numbers. Using skimming techniques, thieves can gather account information, PINs, and even CVV2 numbers. While it’s the least likely to happen, you should understand your possible exposure if you have mobile card readers or even tablets that capture customer data.
Insider Fraud: This most often is either theft from customers or the business itself by a rogue employee. Keep in mind your employees (or contractors) who take reservations or have access to credit cards could steal this data and abuse it. In most cases it also makes it traceable, but it’s your company that’s on the line.
• How can you protect yourself?
In the case of skimming, this is the easiest to protect against. It all comes down to who has access to the hardware. If you have trusted chauffeurs using the hardware (in-vehicle devices), then make sure they keep it in their possession and only hand it to the client for payment. The only real way a skimmer can be added is by your internal staff or a client who has enough time to install it. I would focus on making sure you fully trust any chauffeur who has credit card processing hardware, and that they never leave this hardware in the hands of clients any longer than necessary.
Like skimming, insider fraud is also an area that can be prevented by keeping close tabs on those who have access to accounting or money. Believe it or not, you do need to watch over all employees who have access to sensitive data—even if they are friends or family. Your software will often allow you to set parameters of access. If you have a new hire running cards, for example, you may want to control his settings so that he cannot run refunds. That way he doesn’t have the capability to either make a mistake, or fraudulently add money to his own or a friend’s credit card. I encourage all operators to abandon the idea that it cannot happen to you, as it can and does daily.
With network intrusion, start by determining if you host and store sensitive data, or if you rely on a software or cloud-based solution. If you are hosting, you need to religiously follow the security standards set by the Payment Card Industry Data Security Standard (PCI DSS) Council. Based on your level of PCI you will have different standards and self assessment questionnaires to follow in order to be compliant; however, all standards are set to minimize the potential risk and should be taken very seriously. Additionally, you should ensure whoever manages your IT has the most impenetrable firewalls and any needed patches to protect from intruders—this will need to be monitored continuously. I highly suggest if you host data that you hire a professional who specializes in ensuring your systems are secure and is very educated on PCI compliance and data theft.
If you are relying on an external or cloud-based software system, generally that company holds the risk in a data breach. Most modern software systems are set so operators simply pass data (often times encrypted) through a secure channel, which shifts the storage of data and the PCI compliance to the software provider. This is recommended and eliminates a data breach that can fall directly on you. There are some software solutions that have completely removed themselves from the scope of PCI by using a gateway or middleware that encrypts or tokenizes the cardholder data upon receiving it from the operator and in this case this is the most secure way to process credit card information. In any case, you (and your IT professional) should consult with your provider to fully understand their security measures as well as your own exposure.
• Before it happens to you
If a data breach occurs on your internal networks or at your place of business, it can literally put you out of business. The fines and audits alone can range up to six figures, not to mention the costs of replacing all cards that got compromised, the legal consulting and forensic fees, as well as clients losing faith in your business. Even if the breach was a rogue employee, it is still your company’s good name—and finances—on the line. In my career in the merchant services industry, I have seen more than a handful of clients go out of business due to a security breach being traced back to their companies. If it occurs outside of your internal infrastructure and within a third-party reservation system, you still want to ensure you are following all PCI compliance standards, which can be found by speaking with your credit card processor or on the PCI Security Council website. You want to make sure you are not storing any card holder data on your own systems, as this can have a trickledown effect during a forensic audit. If you are dragged into a breach and it is determined that your business was one that was compromised, then you will be subject to all the bad that comes from such.
Now is a good time to analyze your business and tighten up any loose security measures. Use this scenario as a positive to “check your oil” and ensure you are doing the most you can to protect against something like this happening to you. Another option that I highly suggest all operators do is carry data breach protection. This is generally offered through your credit card processor and you can be covered for damages of up to $50,000-$100,000, based on your business. Data breach protection policies generally range from $75-$300 per year, which is a small investment to protect your business—especially given how much it can cost your company.
Data breaches have changed how we all manage our customers’ personal and financial information. Thieves target businesses, no matter how big or small, so the best protection is prevention. Don’t think you are immune to theft as it can be right under your nose. Your customers are relying on you to keep them safe, and that includes their data. [CD01.14]
Jeff Brodsly is the President and CEO of Livery Payments By Chosen Payments. He can be reached at email@example.com.