Many small retailers think their size protects them from hacker attacks, as headlines focus on large retail chains falling victim and exposing the personal data of millions of customers. But cyberthieves are not selective when it comes to choosing targets. In fact, the Identity Theft Resource Center's annual data breach report features page after page detailing malware attacks, phishing scams and other cybercrimes striking all types and sizes of businesses. Some hackers will go after a small company because they suspect security is likely not as robust, or that the employees may not be as wary of these types of schemes.
The stakes are high for retailers if customer information is stolen one-third of consumers say they will shop elsewhere if their retailer of choice is breached.1 Not only can such an exposure damage customer relationships, but a data breach likely will trigger laws requiring notification of affected individuals. The fallout is costly: The average cyberattack costs a small business roughly $7,115.2
Many retailers outsource the credit card payment process to a third party, which sometimes can provide a false sense of security as store owners believe they have handed over all the responsibility and worry to the external partner. But unfortunately that's not entirely true.
Take the experience of Jimmy John's sandwich shops, which had more than 200 stores hit by a data breach. Cyberthieves accessed store point-of-sale systems via a username and password that the third-party payment processor used to manage the devices remotely. In this case, Jimmy John's was not the one responsible for the breach the payment processor was responsible but all the headlines screamed "Jimmy John's suffers massive credit card breach." Jimmy John's still had to deal with the negative publicity and the filing of a class action lawsuit.3
Luckily, there are steps you can take to fortify your customer data systems. Start by thinking through all the points where data might live, even briefly. Is every point in your system secure? The safest route for retailers is to keep it simple and not store any sensitive customer data.
When contracting with a credit card payment processor, retailers should verify that the vendor is handling sensitive customer information correctly. You should make sure the company is properly credentialed by the Payment Card Industry (PCI) and following its Data Security Standard (DSS). The PCI DSS requires secure networks, cardholder data protection and encrypted transmissions, among other things.4
From the point of the credit card swipe or dip, the data should be transmitted directly to the payment processor, never touching the retailer's network. Retailers should look for a PCI-validated, point-to-point encrypted solution, which converts the data so it is useless to thieves who might be trying to capture it.
With proper steps, you can enhance your data security in hopes of avoiding a data breach scandal. Unfortunately, hackers are unlikely to give up on finding new ways to break into data systems, meaning cyberthreats will continue to evolve. Remain vigilant and evaluate your insurance portfolio to make sure you have the right coverages in the case of a cyber emergency. You don't want negative headlines about stolen credit card information to erase the hard work you've invested into your customer relationships.
Data Defense Tips for Your Retail Store
Use strong passwords that you change regularly on all devices and applications. Never use default usernames and passwords.
- Firewalls should be installed or enabled and maintained.
- Adopt encryption and/or tokenization for any data transmission or storage.
- Use antivirus software and install all security updates.
- Make sure the vendors of your hardware and software comply with the latest security standards.
- Restrict access to your system to only need-to-know employees.
- Check payment card readers to make sure no "skimmer" devices have been installed.
To protect yourself in the event of a breach, plan for cyber insurance coverage that would help your retail store(s) recover from a data breach, as well as for business income insurance that would help you through the interruption to your store's operations.
1 Identity Finder, "Sales Drop as Corporate Data Breaches Rise According to New Study from Identity Finder," April 29, 2014.
2 National Small Business Association, "2015 Year-End Economic Report," accessed Aug. 29, 2017.
3 Martyn Williams, "Data breach that hit Jimmy John's is larger than first thought," Computerworld, Sept. 26, 2014l; U.S. District Court, Central District of Illinois, class action complaint, Nov. 6, 2014.
4 PCI, "Maintaining Payment Security,"accessed Sept. 15, 2017.
The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations.
This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. "CNA" is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the "CNA" trademark in connection with insurance underwriting and claims activities. Copyright © 2017 CNA. All rights reserved.