News Column

Small firms hit hard by credit card hackers

May 11, 2014

By Vicki Owen, Financial Mail on Sunday, London

May 11--Small companies are in the front line of a credit card hacking boom and face serious costs if their lax systems allow customer data to be lost.

Payment data breaches have cost customers of global payments company WorldPaypounds sterling 870,000 in the past three years and of the firms whose card data was hacked in 2013, 61 per cent were small.

Electrical retailers have been hit with more breaches than any other sector, followed by general retail and clothing, according to WorldPay.

The warning comes hot on the heels of research by accountancy giant PwC for the Department for Business, which found that a cyber attack on a small company _ one with fewer than 50 staff _ typically costs it between pounds sterling 65,000 and pounds sterling 115,000.

An attack on larger firms _ with 250 or more employees _ costs between pounds sterling 600,000 and pounds sterling 1.15 million.

WorldPay says more small firms are meeting the industry standard for keeping cardholder data secure, known as the Payment Card Industry Data Security Standards.

But Dave Hobday, WorldPay managing director, said improvements are marginal as most small firms still do not know how to protect themselves from a breach.

He says: 'The cost of a card data breach can be hefty. Our small business customers could pay up to pounds sterling 4,100 just to investigate what happened.

The last thing anyone needs is to be hit with costs for having not protected card data _ not to mention the loss of reputation this could bring.'

According to WorldPay, business owners should ask themselves:

_Have you changed all your default passwords, so that it's harder for someone to guess them?

_Do you have a list of all your suppliers or service providers and their contact details so you can contact them quickly if you need to?

_Do you test your firewalls at least every six months, or get a security professional to test them for you?

_Have you checked that all your suppliers also comply with the industry standard?

_Do you securely destroy all card data files and records when they are no longer needed?

_Are you making sure you do not store the three-digit security number from the back of cards?

Hobday adds: 'Many small firms cannot see what Payment Card Industry compliance adds to their business. They view it as a pointless exercise that drains time, money and effort.

Taken at face value it might appear onerous _ wasteful red tape that is better off left to the big high street brands to worry about. But PCI was not set up to benefit retailers 'it's there to protect customers.'

Almost all card data breaches happen online when hackers use malicious code to obtain card data. WorldPay says: 'All the know-how for inflicting this sort of attack can be found on online forums in "attack toolkits" ' it is not sophisticated.'

Once a data breach happens, affected shoppers are faced with cancelling their card and having to order a replacement.

Meanwhile, a business must undergo a complex forensic investigation, and then it will need to refortify its payment system. This could take up to six months.


(c)2014 Daily Mail (London, )

Visit the Daily Mail (London, ) at

Distributed by MCT Information Services

For more stories on investments and markets, please see HispanicBusiness' Finance Channel

Source: Daily Mail (London, England)

Story Tools Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters