Please ensure Javascript is enabled for purposes of website accessibility
Home / Commentary / Protect your business from a Target-type breach Part I

Protect your business from a Target-type breach Part I

Don BushWere you one of the millions caught up in the recent Target or Niemen Marcus data breaches? I was. And I have heard several stories of others who were at a minimum inconvenienced if not cut off completely from using a credit or debit card right before the holidays.

I stood flabbergasted at the register of a local store, holding up everyone else waiting to check out while trying to figure out why my debit card was being declined. It was even more embarrassing to tell the clerk I was sure my account was fine and that there were sufficient funds to cover the bill, knowing full well he’d heard that story many times before.

What I didn’t know then was that my bank had lowered the spending limit on my debit card and ATM withdrawals, trying to limit losses from stolen credit/debit information. Clearly, they were trying to protect me. It would have been nice to know that before I went shopping.

Since then, I’ve heard a lot about what consumers can do to protect themselves and minimize the risk of someone using their information to make fraudulent purchases. But what about local business owners, retailers, service providers and the thousands of companies that accept credit and debit card payments? How can they protect themselves so they don’t end up in the headlines like Target?

At a minimum, businesses of all sizes should do an annual “audit” of its payments system. Just like your computer network, phone systems and other logistics of your business, the payment process for accepting credit/debit cards needs regular maintenance to ensure it is up-to-date and providing you and your customers with maximum protection.

The reason many of these data breaches occur is because hackers and cyber criminals have found a weak spot in the processing of credit/debit cards. Most companies accept credit/debit cards in one of three ways:

• through a “point of sale” terminal at the register (the device used by checkout clerks to swipe your card)

• collecting the data over the phone or through the mail

• completing a transaction online where consumers enter their credit/debit card information manually.

Each of these methods have weaknesses that you, as a business owner or manager, must know about and protect. Your liability can go far beyond the original purchase of an item from fines and penalties to legal action brought against your business.

Before I go into what precautions can be taken to help increase the security of taking credit/debit card payments, I want to outline one industry standard that was developed to help reduce risk of loss and theft of financial information, specifically for payment cards like MasterCard, Visa, Discover and American Express.

The Payment Card Industry Data Security Standard*, also known as PCI DSS or PCI, was established in 2006 to, “…ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.” While this is not a perfect solution, it does establish a set of protocols that help secure payment information.

If you are dealing with credit and debit cards, this standard applies to you. Ignore it at your own risk. If you work with service providers that are part of the payment processing system for your organization, check to see if they are “PCI “ compliant. This one step could save you a lot of hassle in the future if you ever have a security issue involving payments with credit or debit cards.

For more information about PCI standards and FAQs about its implementation, visit

Don Bush is vice president of marketing at Kount, Inc. This is the first of a two-part guest column aimed at helping businesses understand how to shore up their security when accepting credit/debit card payments.


About Don Bush

One comment

  1. PCI DSS and Security are like insurance, unfortunately Target spent $M on detection and left the response process to manual labor. But your insurance shouldn’t just tell you that you’re sick. They should have also spent at least 10% of that budget on process and technology to automatically investigate, prioritize, and lock down/contain their detected threats. You would think that they could have asked FireEye who they recommend for automated incident response. The tech is out there and available, and all this craziness and costs could be avoided.

    Think of it this way, Target probably saw 1000s if not 10s of thousands of alerts each day, and they know it. They probably detect more than they can process effectively, and the result is that malware gets through. They probably could have spent a fraction more to get automated incident response technology in house.