Delmarva merchants were recently impacted by a POS (point of sale) system data breach. And many merchant locations and business owners are now wondering what does this mean and how does it impact their business. The recent breach in Ocean City, Maryland and surrounding areas involves a POS system that includes remote access, allowing merchants to access their information off site. The information being accessed was not encrypted, resulting in full card information being available to malware and breach scenarios.

Mercantile Processing Inc., a Delaware-based merchant services provider, would like to address these concerns for area merchants and business owners and educate everyone on what questions should be asked at this time. The key to any data breach is to act swiftly and safeguard any data that may be vulnerable.

Is your business safe from a Software Breach?
If your business has not been contacted by your processor, software company, or from your customers about credit card numbers being compromised, your location can assume your system is safe for now. Even if your location has not been contacted, it is in every merchant’s best interest to follow the following steps to safeguard against future breaches.

Is your anti-virus software up-to-date?
All merchants using computers for any aspect of work, should have an up-to-date virus software with regularly scheduled scans to protect the onsite PC and data held within. Installing periodic or prompted updates to your software is key in protecting against malware as it is discovered. If you are unsure if you are using the proper software, contact your merchant services sales office or software provider to insure that your location is using the correct software.

Having anti-virus software installed on all POS devices, in conjunction with regularly scheduled scans is the first key step in protecting your company’s data. Daily scans, typically performed after hours, can detect vulnerabilities in your system and/or recently discovered malware on your system. Approving the recommended settings/updates after each scan is typically recommended, but please check with your software company for any specific questions or concerns.

How do I know if my data is encrypted?
Credit card information always needs to be encrypted in order to protect cardholders. What this means is that data should only be sent from point A (the terminal) to point B (the processor, who approves the transaction) with limited information provided, such as the last four digits of the card, for identification purposes. In order to avoid breaches, all merchants should be using terminals or POS systems that have end-to-end encryption. If you are unsure if your current system is end-to-end encrypted, please contact your hardware provider to learn more.

Is PCI compliance important?
Absolutely! Every merchant that accepts credit cards has seen a charge on their statements for PCI compliance or non-compliance (either monthly, quarterly, annually, etc.). In order to safeguard your customers and business against data breaches, every merchant must be PCI compliance. Merchants can become PCI compliance by completing their PCI compliance questionnaire on an annual basis (must be done each year) and by having your system scans up to date.
What is PCI Compliance?

PCI Compliance is the status processors require of all merchants to comply with that store, transmit, or process cardholder data. These compliance requirements are required regardless of the size of the location. Merchants can become PCI compliant by completing a questionnaire that reviews the best business practices of the industry and receiving a passing score. Scans of your system are required especially if you are working on a network with a POS system in your location. While the PCI compliance questionnaire does not protect you from a breach, it does however make you aware of the possible breach areas and allows you to attest to having these protections in place.

The questionnaire will inquire if your business has anti-virus software installed, and if data is encrypted. If Visa, MasterCard, Discover or American Express discover that a merchant did not have anti-virus software installed and/or did not have regular scans on their system while an investigation is conducted, the merchant would be deemed PCI non-compliant and be liable for fines.

What does this breach mean for you?
An informative article produced by MasterCard in 2012 stated that even the “small[est] merchants are being targeted— Recently, attackers have been increasingly focused on small businesses…” Larger companies and banks tend have the most technical and expensive security features in place to protect against any potential hack, but this level of security may not be feasible for a small merchant. “As a result, attackers increasingly are seeking to compromise small merchant environments through targeted “production line”-type attacks, which often go undetected for long periods of time due to a lack of monitoring by the small merchants.” Subsequently when attackers are searching for targets they sometime find small merchants haven’t taken even the most basic of security precautions that the Payment Card Industry requires.

The lesson from this breach is for all merchants, regardless of size, to be aware of breach possibilities. Just because you are a small to mid-sized business, don’t assume hackers will not be interested in your system. Making sure your systems are fitted with anti-virus software and regular scans, as well as keeping your PCI questionnaire and PCI scans up to date, are the best ways to ensure you will not suffer from a breach.

Mercantile Processing Inc. (MPI) is a locally owned Delaware company. Based in Sussex County, headquartered in Frankford, Delaware, MPI serves the Delmarva area and surrounding areas as a credit card processing broker, payroll solution provider, credit card terminal and ATM reseller and a gift/loyalty card program supplier. Mercantile Processing Inc. is a registered ISO/MSP of Wells Fargo Bank NA.