If Your are a Victim; You are Guilty

This was written by my good friend and colleague John Dini, in San Antonio.

Let's say you own a small Italian Restaurant. Fifteen tables. Pasta, Pizza, beer and wine. Not really a white tablecloth place. More like plastic red and white check tablecloths with Chianti bottles and drippy candles. On a good Saturday night you might take in $2,500. You average about $400,000 a year in sales. You are closed Mondays, because everyone in the family needs a day off.

One Tuesday morning you come in early to start food prep for the week. The mail is piled on the floor where the mailman pushed it through the slot yesterday. You sit at one of the tables drinking a cup of coffee as you open the mail. Routine stuff. There is the produce vendor's statement.A postcard from a regular customer on vacation. An offer or two for new credit cards. There is a letter from a credit card processor; Visa or MasterCard. It informs you that a number of customer cards have been used fraudulently. They have traced the origin of the security breach to your restaurant, and you owe them $170,000 under your merchant agreement, plus penalties. Your issuing bank will be contacting you regarding the collection terms, and to inform you of the additional costs.

You are out of business.

This isn't a joke. It's not an Urban Legend. It is happening every day to scores of small businesses nationally, and the number is increasing rapidly. PCI (Payment Card Industry) compliance is a term that should strike terror into the heart of every small business person who accepts credit cards. If you've been ignoring the warning information from your bank or merchant processor, or if you think you have it taken care of, think again.

A restaurant here in San Antonio recently went to the newspaper to ask for a story warning every customer of theirs to get new credit cards. This restaurant was hit for over $500,000 in charges, plus penalties (more on those later.) The most bitter pill to swallow is that this restaurant did it right. They have the latest version of a POS (Point of Sale) register system. Their network was behind an up-to-date firewall. Their credit card data was encrypted. Nothing saved them from a sophisticated international fraud industry that remains one step ahead of security techniques.

Some fraud is low-tech. A waiter takes cell-phone photos of cards as he runs them, and mails them to an online fence who pays him a couple of dollars per number. A hotel is missing boxes of old credit card slips. (That happened last week in San Antonio- 17,000 customers affected.) The most pernicious, however, is the Internet hack. The threat encompasses every business; retail, service or B2B that accepts credit cards.
Organized thieves, many of them in Eastern Europe, spend all day "pinging" IP addresses in the US. When one hits a firewall, or more commonly, hits an electronic cash register, processing terminal, PC or a server that isn't behind a firewall, they blast a dictionary of keywords at it to identify whether there is any credit card information on the other end. If one of these words gets a hit, they begin the hack, inserting a program that duplicates any card number run through the system and transmitting it to their servers. It takes seconds for the whole process.

Typically they will collect for some time, months or in some cases years, before they put the cards into use. It gives them economies of scale. With faster fraud identification systems, many have started "real time" usage, duplicating cards in Europe or Asia and selling them the same day.

Illegal web sites post buyer requirements; how many cards, issuer type, credit limits sought and prices to be paid. ("Need 200 AMEX Gold or Platinum- pay $50 each") Other sites will tell you the current available limit on any card number. Still other sites sell stolen numbers in a daily auction, batched by type and credit limit availability.

Your data is encrypted? Law enforcement sources tell me that decryption programs to defeat the current levels of credit card security can be bought for $125 on the web and installed in 15 minutes.

When I tell small business owners this story, they usually say "But my credit card company says I'm not liable for fraudulent charges." That is true if you are a consumer. If you are a merchant, you have already accepted the liability. You agreed to comply with all PCI security protocols. Those protocols, however, are so loosely defined, and so complex, that if you are defrauded it essentially means you weren't in compliance. In other words, if you are a victim; you are guilty.

When cards are used fraudulently, here is what happens. The card processor begins an algorithm to cross reference the fraudulent cards with the places they were used. In minutes, twenty cards cross at one point- Anthony's Italian Trattoria in Peoria Illinois. (If there is really an Anthony's in Peoria, I apologize. I checked to see that there wasn't. It's supposed to be fictional.) You are proven guilty.

What happens next is a nightmare. First, every customer who charged something at your business (in a time frame of potential risk determined by the processor) must be notified that their card may have been compromised, and they should get a new one. The charge for that is $30 per customer. It is billed to your bank issuer, who can either pass it on to you or eat it. Guess which one they will choose?

(A quick aside here. If you are like almost all small business people, your accounts are concentrated at one bank. Your loan agreements usually allow the bank to deduct amounts owed them from ANY account you have there, business or personal.)

Then they have to do the forensic investigation, to determine how the cards were stolen and the potential losses. The cost of a forensic examination is currently set by PCI at $10,000 minimum. All this is in addition to any fraudulent usage, which is directly billed to you. The bank may choose to let you continue operating, if you can afford to let them withhold everything charged to credit cards in your business until repayment is made.

If you think I am being alarmist, check out the PCI video at TAB member Don Douglas' Comply Guard Networks website. (This isn't a plug. Few small business owners could afford Don's services, which are geared to corporate and institutional customers.) The other examples I cite here are from my own experience locally in the last month, and they are not the only ones I know.

What can you do? Checking a driver's license, which many people consider security, doesn't help with this problem. That only protects you from being back charged for a fraudulent usage. That is one transaction, not hundreds or thousands.

You could stop accepting credit card, but for many of us that isn't feasible.

Here is what you CAN do, in simple terms:

First- Spend the money to upgrade your system. I've talked to POS vendors at length about this. They tell me that the usual openings, lack of a firewall, shared hubs with wireless hot spots, and out of date software, cost between $1,000 and $3,000 to change. It still isn't fool proof, but it is like the burglar who was asked why he didn't hit houses when he knew there were only timers on the lights. "Because the house next door doesn't even have timers." The cost is minimal in comparison to the deterrent factor.

Second- DO NOT STORE CREDIT CARD NUMBERS ON TRANSACTIONS ANYWHERE, EVER! Many businesses don't even know that their systems are keeping numbers. With cheap data storage, some have no erasure process at all. One restaurant locally, with hundreds of seats and a booming business, recently found out that they had every credit card number for every transaction in the last ten years residing in their hard drive. One hack, and they could have been hit for millions in notification fees alone.

If you have a customer dispute or question, you can get the information from the credit card company. Yes, it may take forever on the phone to wade through the process, but how bad is that compared to losing your business?

There are some major things that the industry could do, but for now they've chosen to just shift the liability to small business owners who are generally unaware of what has been done to them. In this case, such ignorance can ruin you.

If this is news to you, it is probably news to your business owner friends. I have been passing this information on to every business owner I know. Most have been surprised by it. Do a friend a favor, and give them a heads up. Ask them "Are your computers PCI complaint?" If they look at you blankly, send them here.