Given the massive news coverage about payment card security since December in the wake of Target Corp.’s huge data breach and other ones at Neiman Marcus Group and Michaels, you might think that data protection is top of mind among small-business owners. Not so, according to results of a new poll by Newtek Business Services Inc. Nor are small businesses very aware of Europay-MasterCard-Visa (EMV) chip cards, discussion of which exploded in the media as a more secure alternative to magnetic-stripe cards.
Meanwhile, two more merchants are confirming intrusions into their card-processing systems—beauty-products retailer Sally Beauty Holdings Inc. and prominent jam-and-jelly producer J. M. Smucker Co., which operates an e-commerce site that is temporarily offline. How much cardholder data may have been compromised in those incidents, however, is unclear.
New York City-based Newtek provides loans, e-commerce services, payment card processing and other services to a customer base of more than 100,000 mostly small and mid-sized businesses. In a February customer poll that garnered 1,400 responses, Newtek asked, “Based on the recent credit card security breaches at Target and Neiman Marcus, are you concerned about credit card security at your business?” Sixty-seven percent of respondents said no and only 33% said yes.
In a second yes-no question, Newtek asked: “Are you aware of EMV chip card technology?” Only 37% were aware of EMV; 63% were not.
Newtek president and chief executive Barry Sloane is somewhat dismayed but not startled by the results. “It’s unfortunate, just from the standpoint that business owners are supposed to be concerned,” he tells Digital Transactions News about the security question. “The only thing I can tell you is people don’t worry about stuff until it happens or until it’s too late.”
Sloane also says he’s not surprised about the lack of awareness of EMV, a term few Americans outside of banking and payments circles had heard of until after Target disclosed its breach Dec. 19. “I think that will change over time, but right now business owners are not going to worry about this until the last minute and they really view it as a problem.”
Small-business owners are most concerned about “Obamacare, meeting payroll,” and other more immediate concerns than card security and EMV, according to Sloane. But he expects awareness of chip cards to ramp up quickly as the card networks’ October 2015 liability shift approaches. That shift will transfer liability for fraudulent point-of-sale transactions to the party that could not support EMV. “We are going to start to actively educate our existing portfolio customers on what EMV is,” says Sloane.
The awareness campaign will include telephone calls and emails to merchants. Newtek in the second quarter also plans to roll out an EMV conversion program that will include terminals and cybersecurity services.
Sloane expects many merchant acquirers will be rolling out similar programs soon. “You’re going to see a lot of players out there start to bang the drum a little bit,” he says.
Meanwhile, the KrebsOnSecurity Web site broke news Wednesday of yet another retailer data breach, this one at Sally Beauty, which has more than 2,000 stores in the United States. KrebsOnSecurity wrote that 282,000 stolen credit and debit card numbers hit a popular underground store March 2. Three different banks bought a total of 15 cards at the store, cards they had previously issued to legitimate customers, to determine where the numbers may have been captured. The common point of purchase turned out to be Sally Beauty, according to KrebsOnSecurity editor Brian Krebs
While acknowledging that hackers tried to infiltrate its computer system, Denton, Texas-based Sally Beauty issued a statement Wednesday that did not confirm card numbers had been stolen. “Recently, our systems detected an attempted intrusion into our Sally Beauty Supply LLC network, and we believe we promptly mitigated potential issues arising from this intrusion,” the statement says. “As a result of our ongoing investigation, which included assistance from a top-tier security firm, we have no reason to believe there has been any loss of credit card or consumer data. We will continue to investigate and actively monitor this situation.”
Sally Beauty told Krebs, which broke the news of the Target and Neiman Marcus breaches, that it had hired Verizon Enterprise Solutions to investigate the intrusion.
Krebs reported Tuesday that Smucker’s shut down its online store last week after it apparently was infected by malware that grabbed customers’ data before they were encrypted. Unauthorized parties gained “access to data files that included personal information such as customer name, address, email address, phone, credit or debit card number, expiration date, and verification code,” Smucker’s said in a post on its site.
The Orrville, Ohio-based firm discovered the breach in mid-February but indicated it may have lasted from December 2012 to this January. Smucker’s is notifying an unspecified number of customers by mail.
“We believe an unauthorized user utilized a sophisticated scheme to illegally obtain personal information such as customer name, address, email address, phone, credit or debit card number, expiration date, and verification code, as it was being entered during the online checkout process,” the post says. The online store remains closed today.