News of a data breach affecting 40 million Target shoppers is spreading through the news today and wineries should take note.
Consumers who made purchases at the retailer between Nov. 27 and Dec. 15 may have had their data stolen—including name, credit and debit card numbers and expiration dates, as well as the three-digit security codes located on the backs of cards. There's no word yet about how the theives managed to walk away with so much information, but it is alarming: As one of the country's largest retailers, Target spends millions of dollars on credit card security and something like this, in theory, should not have happened.
Many wineries believe that they're too small to be the target of a data breach, but in fact the opposite is true. "Small" wineries don't have the funds to fight data theft like national and global corporations do, making them easy prey. The costs of a data breach, as Target is about to learn, are much more than refunding banks for the fraudulent purchases made.
"In addition to the fraud-related losses, banks may start charging Target a higher merchant discount rate, which is the amount retailers pay banks for providing debit and credit card services. While the percentage difference may be tiny, it could result in steep costs given the volume of transactions Target does, Avivah Litan, a security analyst with Gartner Research, told the Associated Press.
Litan added that the company could also face class action lawsuits from consumers, though most of them will be meritless, and fines from federal agencies. When combined, the costs of the breach could be so steep that they actually prompt Target to raise prices, she says."
In our September 2013 issue, writer Mary-Colleen Tinney did an excellent introduction to PCI Compliance and all that entails, detailing why wineries of all sizes should adhere to the preventative policies. You don't want to be the one putting your business at risk for a data breach. You can read her story here.
This news should serve as a harsh reminder that data theft can happen anytime, anywhere, to anyone—even a winery. The costs of such a breach, from covering all the fraudulent charges, providing credit monitoring for a year to those affected, fines, etc., could put a winery out of business.
Below are the Top 10 PCI Compliance Tips from her story.
Top 10 PCI Compliance Tips
• Do not store any credit card data, on paper or electronically, unless it is absolutely necessary. If credit card information must be stored, use an encryption and tokenization system to access information.
• Never write down credit card information; if it is written down, destroy that record as soon as possible after your business use.
• Know what personally-identifying information is on your computer system or network, where it is on the system and how many different areas from which that information is accessible.
• Limit access to the system: Only let employees have access to information that is necessary for their jobs; if credit card information is stored, only critical employees should be given access.
• Install firewalls on your system to prevent attacks from outside sources.
• Change computer passwords every 90 days with complex, difficult-to-decrypt passwords.
• Monitor your systems and keep them up-to-date; install security patches and updates from the hardware or software provider. Perform vulnerability scans on a regular basis.
• Educate employees about the importance of PCI compliance and your company’s process for protecting credit card information.
• Work with certified PCI-compliant technology partners.
• Contact your payment processor or merchant acquirer if you need help becoming PCI-compliant: most will work with you at little or no cost.