Earlier this year several big box retailers were victim to hacks stealing credit card information from their customers. Today, they are plugging the hole on these vulnerabilities. But what about small businesses? How at risk are they and what can be done to protect both their business and their customers’ credit card information from hackers?
Street Fight recently caught up with Norm Merritt, president and CEO of ShopKeep to talk about the software and cloud-based solutions that companies like his are providing to protect local businesses and their customers.
A recent New York Times article talked about hackers going local, hitting small businesses in their efforts to steal customers’ credit card information. We know there are these big hacks of large retailers, why should small businesses be more or less concerned about being hacked than say Nordstrom or Target?
The hacking we are talking about is basically taking advantage of vulnerability in PCs, in particular Microsoft PCs running on XP. What happens is, if I swipe a credit card, it goes into the memory of the computer in clear text form, before it’s encrypted and is sent off to the credit card company. Because of that clear text format, anybody can go online plug a Rubber Ducky hack device into the back of the PC and the Rubber Ducky can see the credit card data the way it’s formatted and just starts to download anytime it’s in clear text form. That’s is what happened at Target, Neiman Marcus, and Home Depot.
There are millions of merchants out there with vulnerable XP boxes, but now that big box retailers are plugging that hole by upgrading their machines, thieves are now going to go after the local guy. Some ask if the local guy is even worth it? All it takes is one rogue employee putting a Rubber Ducky in the back of one of their machines and at the end of the month maybe they have a thousand credit cards they can sell for $40 a card on the black market. There is definitely an economic incentive for thieves to take advantage of small merchants, no doubt.
How can small business owners protect themselves?
The way ShopKeep or other companies like us solve the problem is we encrypt the credit card data at point of swipe, at the actual credit card head, and it gets encrypted into 256 bit military grade encryption, which is virtually impossible to break. It never goes into memory in clear text form and so it’s never vulnerable or open to thieves’ access. That credit card data goes out in this encrypted format and only the credit card company has the key to unlock the encryption and they’ll then do the transaction and authorize it. They’ll then encrypt the information and send it back to us.
One clear way of basically guarding people’s personal, credit card information is to have a company like ShopKeep where we have this military grade encryption at the head of the swiper. In addition you hear about Apple Pay and other mobile payment solutions. What’s interesting about Apple Pay is that it’s actually extremely secure because they have triple level of authentication. It has the secure enclave token, the transaction specific token and then it has a biometric level of security. ShopKeep does have an Apple Pay capable reader so people can pay with Apple Pay.
Companies like ours, where we can take Apple Pay and we also have point to point encryption for those who don’t who are still swiping the credit cards, really obviates this whole hacking thing.
With EMV chip card technology and the big shift to this coming in the fall, what does that mean for credit card theft? Will there be an increase in attempts made now because it will be harder after, as a last opportunity to make their money?
It’s important to remember that hacking and stealing credit card data are two different things. The only reason people steal a credit card is they are then able to counterfeit the card and sell it on the black market for more than what they bought the credit card for.
What EMV does is basically stops the ability of thieves to counterfeit cards by removing the ability of those who have purchased stolen credit cards to use them fraudulently. EMV also obviates the use of a credit card that’s counterfeited. They can either steal your card or steal your number and then create a card that’s a counterfeit card. What EMV does it basically plugs that hole.
We really recommend to our merchants that they not only have the swiper encryption to keep people from hacking them, but they also have an EMV capable reader which gives them the ability to provide this service to their customers and if they don’t upgrade they will have 100 percent of the liability of any fraudulently presented cards. The merchant will actually get charged for it.
Is security something small businesses will buy and is it important enough that it will force them to adopt and push mobile payment options? Do you see small businesses stop doing as many credit card transactions and start pushing Apple Pay because it’s actually that much more important to them?
There are merchants across the spectrum. Some are very focused, very disciplined, really good at protecting their business and they will upgrade their equipment post haste and a lot of them are. You’re also going to have people on the other end of the spectrum where it’s not even on their radar screen until they get that credit card statement sometime after October 2015 for their bank saying here is a $400 charge for something you sold with a fraudulent card.
I think you are going to see a slow adoption, but to the extent that ShopKeep can help get the word out there, which is why we’re speaking at a lot of events to get people to understand they should protect themselves. It’s an upgrade to the machinery, and it’s not that expensive in the long scheme of things.
Talk to me about the difference in the vulnerability of a cloud system versus an on-premise system. Which is more vulnerable than the other?
There is no vulnerability with cloud — everything that’s going into the cloud is encrypted. First of all, the credit card data is encrypted with 256 bit military grade encryption. Everything else in the cloud is basically secure using SSL and a lot of the security features that are state of the art, latest and greatest. There is no vulnerability for the cloud.
What the cloud does is it provides flexibility to the merchant so they can now actually be more secure. They can be monitoring their employees remotely, in our case for example we have ShopKeep pocket, it’s an iPhone app business owners can download that actually keeps track of the voids, the returns, sales by hour. They can be at their kid’s soccer game and be able to monitor the business, offering even more security for them.
Liz Taurasi is a contributor to Street Fight.