Skip to content ↓ | Skip to navigation ↓

It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches.

Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen and Home Depot have certainly received the full attention of the media, as it should given its magnitude. However, this publicity masks a much deeper rooted strategy of hackers toward their typical target (with a small “t”).

The predominant number of security breaches occur with small merchants, such as your neighborhood restaurant, convenience store or clothing boutique. The fact is that the typical operator of a franchise is most often a small business owner and not a large corporate entity. These smaller players simply go out of business or spend years attempting to recover from their losses.

The more telling story is that hackers are successfully penetrating the very backbone of U.S. commerce because these small- and medium-sized merchants are much more vulnerable as they are considered by hackers to represent low hanging fruit. Rather than resigning themselves to another year of devastating breaches that drain the economy and damage the public trust, this would be a good time for executives to aspire to understand where the underlying vulnerabilities are in their systems and take the relatively simple measures to severely reduce the risks.

Credit card companies have developed a comprehensive list of best practices and procedures (Payment Card Industry Data Security Standards best known as PCI DSS) that U.S. merchants are required to apply in an effort to significantly lessen the prospect of hackers gaining entrance to their store’s Point of Sale systems, which act as the gateway and nerve center for merchant commerce.

The overriding problem is that banks, card processors and POS companies have failed to effectively educate merchants on these standards. As hotel managers, restaurant operators and retailers are consumed with the day-to-day challenges of running their businesses, they understandably don’t find the time to do anything but pay cursory attention to related webinars or email blasts on the subject.

The solution really isn’t very complicated. The vast majority of security breaches can be avoided by simply having the merchant understand and apply common sense practices and make a few modest investments in basic security measures. For instance, a significant number of breaches can be eliminated by employees knowing not to use default or simple passwords, as well as   changing passwords frequently.

Breaking down into plain English and demystifying the basics behind security mechanisms, such as firewall, encryption and tokenization, are really not that difficult. Although the ease of a  restaurant operator having remote access to their Point of Sale terminal may be very desirable, it can help a hacker gain a path to customer credit card information if not used properly with sufficient authentication measures.

We have more than adequate security controls available today if they are simply understood and utilized properly. We don’t have to wait until the mass introduction of alternative technology, such as Chip and Pin, to dramatically reduce the volume of breaches. In fact, Chip and Pin is not a silver bullet solution.

Merchants must not become complacent and lose sight of the fact that it is necessary to engage in a layered approach to keep their customer data safe, which incorporates, Chip and Pin, encryption, tokenization and employee education.

Small and large merchants alike can cut through the background noise and understand how best to use accessible and effective controls and practices, so that more painful data security breaches will not continually be repeated.

About the Author: Charles Hoff is the co-founder and CEO of PCI University ( which helps merchants throughout North America fully understand how best to avoid data security breaches and their consequences.  Charles has an extensive background relating to ID theft and fraud stemming from his years as Equifax’s Senior Vice President and his successful track record as an attorney representing merchants victimized by data security breaches.  Charles has acted as a Data Security Breach Consultant for the National Restaurant Association and has served as the General Counsel for the Georgia Restaurant Association.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Image header courtesy of