If Your are a Victim; You are Guilty

This was written by my good friend and colleague John Dini, in San Antonio.

Let's say you own a small Italian Restaurant. Fifteen tables. Pasta, Pizza, beer and wine. Not really a white tablecloth place. More like plastic red and white check tablecloths with Chianti bottles and drippy candles. On a good Saturday night you might take in $2,500. You average about $400,000 a year in sales. You are closed Mondays, because everyone in the family needs a day off.

One Tuesday morning you come in early to start food prep for the week. The mail is piled on the floor where the mailman pushed it through the slot yesterday. You sit at one of the tables drinking a cup of coffee as you open the mail. Routine stuff. There is the produce vendor's statement.A postcard from a regular customer on vacation. An offer or two for new credit cards. There is a letter from a credit card processor; Visa or MasterCard. It informs you that a number of customer cards have been used fraudulently. They have traced the origin of the security breach to your restaurant, and you owe them $170,000 under your merchant agreement, plus penalties. Your issuing bank will be contacting you regarding the collection terms, and to inform you of the additional costs.

You are out of business.

This isn't a joke. It's not an Urban Legend. It is happening every day to scores of small businesses nationally, and the number is increasing rapidly. PCI (Payment Card Industry) compliance is a term that should strike terror into the heart of every small business person who accepts credit cards. If you've been ignoring the warning information from your bank or merchant processor, or if you think you have it taken care of, think again.

A restaurant here in San Antonio recently went to the newspaper to ask for a story warning every customer of theirs to get new credit cards. This restaurant was hit for over $500,000 in charges, plus penalties (more on those later.) The most bitter pill to swallow is that this restaurant did it right. They have the latest version of a POS (Point of Sale) register system. Their network was behind an up-to-date firewall. Their credit card data was encrypted. Nothing saved them from a sophisticated international fraud industry that remains one step ahead of security techniques.

Some fraud is low-tech. A waiter takes cell-phone photos of cards as he runs them, and mails them to an online fence who pays him a couple of dollars per number. A hotel is missing boxes of old credit card slips. (That happened last week in San Antonio- 17,000 customers affected.) The most pernicious, however, is the Internet hack. The threat encompasses every business; retail, service or B2B that accepts credit cards.
Organized thieves, many of them in Eastern Europe, spend all day "pinging" IP addresses in the US. When one hits a firewall, or more commonly, hits an electronic cash register, processing terminal, PC or a server that isn't behind a firewall, they blast a dictionary of keywords at it to identify whether there is any credit card information on the other end. If one of these words gets a hit, they begin the hack, inserting a program that duplicates any card number run through the system and transmitting it to their servers. It takes seconds for the whole process.

Typically they will collect for some time, months or in some cases years, before they put the cards into use. It gives them economies of scale. With faster fraud identification systems, many have started "real time" usage, duplicating cards in Europe or Asia and selling them the same day.

Illegal web sites post buyer requirements; how many cards, issuer type, credit limits sought and prices to be paid. ("Need 200 AMEX Gold or Platinum- pay $50 each") Other sites will tell you the current available limit on any card number. Still other sites sell stolen numbers in a daily auction, batched by type and credit limit availability.

Your data is encrypted? Law enforcement sources tell me that decryption programs to defeat the current levels of credit card security can be bought for $125 on the web and installed in 15 minutes.

When I tell small business owners this story, they usually say "But my credit card company says I'm not liable for fraudulent charges." That is true if you are a consumer. If you are a merchant, you have already accepted the liability. You agreed to comply with all PCI security protocols. Those protocols, however, are so loosely defined, and so complex, that if you are defrauded it essentially means you weren't in compliance. In other words, if you are a victim; you are guilty.

When cards are used fraudulently, here is what happens. The card processor begins an algorithm to cross reference the fraudulent cards with the places they were used. In minutes, twenty cards cross at one point- Anthony's Italian Trattoria in Peoria Illinois. (If there is really an Anthony's in Peoria, I apologize. I checked to see that there wasn't. It's supposed to be fictional.) You are proven guilty.

What happens next is a nightmare. First, every customer who charged something at your business (in a time frame of potential risk determined by the processor) must be notified that their card may have been compromised, and they should get a new one. The charge for that is $30 per customer. It is billed to your bank issuer, who can either pass it on to you or eat it. Guess which one they will choose?

(A quick aside here. If you are like almost all small business people, your accounts are concentrated at one bank. Your loan agreements usually allow the bank to deduct amounts owed them from ANY account you have there, business or personal.)

Then they have to do the forensic investigation, to determine how the cards were stolen and the potential losses. The cost of a forensic examination is currently set by PCI at $10,000 minimum. All this is in addition to any fraudulent usage, which is directly billed to you. The bank may choose to let you continue operating, if you can afford to let them withhold everything charged to credit cards in your business until repayment is made.

If you think I am being alarmist, check out the PCI video at TAB member Don Douglas' Comply Guard Networks website. (This isn't a plug. Few small business owners could afford Don's services, which are geared to corporate and institutional customers.) The other examples I cite here are from my own experience locally in the last month, and they are not the only ones I know.

What can you do? Checking a driver's license, which many people consider security, doesn't help with this problem. That only protects you from being back charged for a fraudulent usage. That is one transaction, not hundreds or thousands.

You could stop accepting credit card, but for many of us that isn't feasible.

Here is what you CAN do, in simple terms:

First- Spend the money to upgrade your system. I've talked to POS vendors at length about this. They tell me that the usual openings, lack of a firewall, shared hubs with wireless hot spots, and out of date software, cost between $1,000 and $3,000 to change. It still isn't fool proof, but it is like the burglar who was asked why he didn't hit houses when he knew there were only timers on the lights. "Because the house next door doesn't even have timers." The cost is minimal in comparison to the deterrent factor.

Second- DO NOT STORE CREDIT CARD NUMBERS ON TRANSACTIONS ANYWHERE, EVER! Many businesses don't even know that their systems are keeping numbers. With cheap data storage, some have no erasure process at all. One restaurant locally, with hundreds of seats and a booming business, recently found out that they had every credit card number for every transaction in the last ten years residing in their hard drive. One hack, and they could have been hit for millions in notification fees alone.

If you have a customer dispute or question, you can get the information from the credit card company. Yes, it may take forever on the phone to wade through the process, but how bad is that compared to losing your business?

There are some major things that the industry could do, but for now they've chosen to just shift the liability to small business owners who are generally unaware of what has been done to them. In this case, such ignorance can ruin you.

If this is news to you, it is probably news to your business owner friends. I have been passing this information on to every business owner I know. Most have been surprised by it. Do a friend a favor, and give them a heads up. Ask them "Are your computers PCI complaint?" If they look at you blankly, send them here.

Mid Year Sales Planning

The following was written by my good friend Chip Doyle, a Sandler Sales Franchisee.
___________________________________________________

He who fails to plan is planning to fail - Winston Churchill

Prospecting plans are more than a necessary part of a salesperson's tool kit. The planning process creates accountability and a sense of teamwork for salespeople. Good plans also improve the salesperson's outlook and motivation. By measuring the results of a plan, salespeople can identify what's working and what isn't and adjust accordingly. And last but not least, planning and accountability insures activities that fill the pipeline are not subordinated to client fulfillment work. This one drives me nuts. As an example, seller-doers (people like CPA's, consultants, architects, engineers, etc) pray for business but as soon as they get some, they complain that they don't have time for business development. This is just a sophisticated way of admitting they don't have a plan.

You can be a part of your own plan or part of someone else's - David Sandler

The year is almost half over and odds are you've made some progress towards your prospecting and sales plan. If you don't have a prospecting plan yet, stop reading here and start planning!

Planning has Pitfalls

Unfortunately there are predictable traps that I see clients fall into related to planning. Occasionally they will use the planning process to procrastinate action. I also see salespeople that fail to adjust plans over time based on new information or tracked results. Planning is not a one-time activity. It's a recurring process. Not every week, but certainly every six months.

More frequently I see plans with no priorities or activity sequences specified. John Argenti, author and founder of the Strategic Planning Society said "A plan is a list of actions arranged in whatever sequence is thought likely to achieve an objective." Make sure you assign priorities or some sequence in your planning process.

"It is almost always the decision maker that makes the decision work, not the choice which makes the decision work." - David Sandler

I also see companies attempt to build consensus around an ideal plan. It never happens. There's no need to try to build the perfect plan. The key is to get your salespeople on the right course so they can realize the benefits of the planning process.

________________________________________________________________

We are halfway through the year. How are your sales? How are they compared to plan? What are you going to do to modify or create your plan?

What is Motivation?

The art of motivating people starts with learning how to influence individuals' behavior. Once you understand this, you are more likely to gain the results that both the organization and its employees want.

Motivation is the will to act. It was once assumed that motivation had to be injected from outside, but it is now understood that everyone is motivated by several differing forces. Int he workplace, see to influence your staff to align their own motivation with the needs of the organization.

To release the full potential of employees, organization are rapidly moving away from "command and control" and towards "advise and consent" as ways of motivating. This change of attitude began when employers recognized that regarding good work is more effective than threatening punitive measures for bad work.

Self-motivation is long lasting. Inspire self-motivated staff further by trusting them to work on their own initiatives and encouraging them to take responsibility for entire tasks. For demotivated staff members, find out what would motivate them, and implement whatever help you can. Highly motivated individuals are vital to supply organizations with the new initiatives that are necessary in the competitive business world.

Who do you need to motivate? Yourself, managers, colleagues, and subordinates. Each are motivated in their own way. If you want a detailed assessment of what motivates your people click here or send an email to blair@tabdenverwest.com.

Your persuasion and influence can be used to motivate yourself and others. Just remember, true motivation has to come from within.