From the blog What Happens When Your POS Isn’t Secure Enough
No one likes talking about cybersecurity. It’s an uncomfortable topic that understandably puts business leaders off. Unfortunately, not talking about it can come with a steep price tag.
In 2018, 2.8 billion consumer records were compromised. And the total cost of all those breaches was estimated to exceed $654 billion.
When you see numbers that big, it’s tempting to assume we’re only talking about enterprise-level, global companies. But that’s just not the case. In fact, nearly half of all cybercrime targets small businesses.
Regardless of the size of your business, cybersecurity should be one of your top priorities. Period.
The cost of cybercrime
Cybersecurity breaches come with both hard and soft costs.
Hard costs are the ones we can easily quantify. These include fines, irreparably damaged equipment and even ransomware payments.
Soft costs are a little harder to estimate, but they’re still profound. For example, consider the hit your reputation would take. If your customers no longer feel they can trust you with their data, they may take their business somewhere else.
But this is all theoretical. Let’s take a look at an actual example of a POS cybersecurity breach.
A case study in cybersecurity disaster
Just last month, Wawa got a lesson in just how painful a cybersecurity breach can be.
With over 850 locations along the East Coast of the US, Wama is a sizable convenience store chain. But even with the resources to afford solid cybersecurity, cybercriminals still found a way onto their network. How did they do it? Through Wawa’s POS (point of sale) system.
That’s right. Malware was skimming customers’ credit card data… and had been since April of 2019.
A cybersecurity breach is bad enough. But a breach that occurs directly in the POS system is a catastrophe. That gives thieves direct access to credit and debit card numbers, expiration dates and account holder names.
And it leaves Wama with a PR nightmare and untold potentially lost profits.
Common POS failures
Wawa’s breach, along with other similar data breaches, demonstrates how critical POS security is.
There are more than a few opportunities for missteps during the payment process. Even if malware isn’t skimming your customers’ data, there are plenty of other places where your POS can let you down.
- Usage problems (usually related to employee comfort and training)
- Wrong hardware for your business type or volume
- Software integration issues (affect accounting and reporting)
- Inability to connect to financial institutions or get paid
- Slow connections and payment confirmations
- Poor mobile compatibility
- Human error
If you’re a small business owner, you may have experienced one or more of these failures with your POS system. While a cybersecurity breach is the most devastating, any combination of these problems can add up over time.
Why your POS cybersecurity matters
Your cybersecurity affects your bottom line. There’s simply no way around that.
If you let your POS security slip, you’ll pay in several different ways.
Cybersecurity breaches are expensive. The average cost for a small business is around $200,000. That’s enough to put a lot of small companies out of business.
Even if your company is profitable enough to handle that steep price tag, what about less tangible (but still very real) financial effects. For example, can you afford to pull your salespeople from ROI-generating activities to have them focus on customer service while your clients call with questions about their data?
In the wake of their breach, Wawa established a dedicated call center for dealing with customer questions about data theft. The company is also offering free credit card monitoring and protection from identity theft to those potentially involved.
None of that is inexpensive.
The average cost for a small business is around $200,000. – CNBC
There are no federal laws that clearly spell out who’s liable when a data breach occurs – yet. But that doesn’t mean you’re off the hook legally.
You’re almost certainly obligated to let your customers know their data has been compromised. If you work in a regulated industry, like the medical field, there may also be regulatory requirements and even fines.
In the case of the Wawa breach, it’s not clear how the breach will put their customers at risk. And to make matters worse, the legal consequences of data theft can linger for years. It will be some time before the legal aspects of this breach will be definitive.
“… all states require organizations to notify customers and in some cases regulators if a data breach occurs impacting residents.” – Thomson Reuters
When a company suffers a data breach, people notice. Remember when Target was hit with a successful cyberattack? That was back in 2013. Or the Experian data breach in 2017? We’ll be talking about that one for years to come.
Especially when a breach is tied directly to your POS, customers take note and may even change their shopping patterns. Who cares if you have the best prices, the best customer service, or the best buying experience if you can’t keep your customers’ data safe?
Just one data breach can undo years of successful reputation management.
“The 24-hour news cycle and real-time access to information can elevate a data breach event to broad consumer awareness in hours.” – CPO Magazine
We’ve looked at the financial, legal, regulatory and marketing implications of a data breach. Now let’s talk about what’s ethical.
When customers share their banking information with you, they’re making a statement of trust. You need to honor that trust. You have an obligation to do everything that’s reasonably in your power to protect customer and employee data.
A bare minimum approach to cybersecurity simply isn’t enough. Everything from your data storage to your POS should be thoughtfully considered. Not only will that save you money, but it’s also the right thing to do.
“…think about what really matters when it comes to cybersecurity. Underneath the concerns about data safety and your bottom line, the thing really worth protecting is… people.” – KME Systems
6 ways to reduce your risk
Fortunately, there are things you can proactively do to avoid the kind of breach Wama suffered.
Here are some tips you can start using right away to reduce your risk.
- Evaluate security vulnerabilities in your POS system. If your POS isn’t up to the job, it’s time to switch to a new one.
- Use the right POS hardware for your business. Your needs will vary depending on whether you have stationary cashiers, mobile sales, or online sales.
- Encrypt data whenever possible throughout your system to thwart hackers.
- Don’t leave customer data where it could be compromised. If you must write down credit card information, develop a system to safely destroy it.
- Be cautious about who you hire. Employees who handle sales and credit cards are being trusted with a lot. Check references, and make sure workers understand how your POS system works to reduce human error.
- Hire a cybersecurity consultant to evaluate your current system and make recommendations for improvements.