As a Small business you are required to comply with PCI-DSS when accepting credit cards as a form of payment from customers. The costs maybe high to implement and comply with PCI, but the costs to mitigate a breach can shutdown your business. To highlight the importance of protecting your organization, please read below story.
The costs of a breach can put a small company out of business. In 2006 and 2007, a Bellingham, Wash., restaurant called Burger Me LLC had its computerized cash register hacked. Criminals made untold numbers of fraudulent charges on customer credit cards. Small Breaches
After the incident, a credit-card company shut down Burger Me’s account and put a hold on thousands of dollars in incoming payments, says Rich Griffith, its former owner. By late 2008, fees and lost business from not being able to accept credit cards put Mr. Griffith in so much debt—$12,000 for investigation and remediation costs alone—that he closed his formerly break-even burger joint.
One of the most common styles of attack on small businesses targets credit-card information that a hacker can sell or use to make fraudulent purchases. To gird against this, the major credit-card companies in 2006 formed an industry group called the Payment Card Industry Security Standards Council, which establishes minimum technical protections for businesses that accept credit cards.
Hackers are looking constantly for week entry points such as Remote Desktop connections that allows a user to connect from remote location as if you are physically present and have a complete access and can run any program. In addition using week passwords with known user names such as: Administrator and Password.
The computers at the magazine shop had a program called Remote Desktop installed that made it possible to access them over the Internet. That program had a weak username and password: ‘pos’ in both cases.
A hacker used Remote Desktop to gain access to the computers at City Newsstand’s Chicago store as early as April 15, 2009. The hacker secretly installed software that captured credit-card information. Later, the hacker installed similar software on the computer in the City Newsstand’s Evanston location.
The credit-card reader at City Newsstand is connected to the PC. When processing and transaction, the credit-card data is sent from the reader to the PC, and then over the Internet for approval from the processor. The software the hacker installed intercepted and made a copy of the credit-card data before they were sent to the processor. The hacked credit-card data were sent to a sedrver based in Russia and to a Yahoo email address.
The hacker’s software was detected and removed on June 23, 2010, more than a year after a hacker first gained access to City
Source: WSJ reporting
Photo: Clayton Hauck for The Wall Street Journal