Within the midst of the more than 70 million consumers that were impacted by the massive hacking of credit and debit card account numbers and theft of personal data through retailer Target Corp. were small businesses – that likely have much more to lose.
While hard figures are not readily available on the number of actual companies that were affected by the breach, according to Chargebacks911, a Tampa Bay, Fla.-based dispute mitigation company online retailers are drawing a $279 loss for every $100 of fraud loss, partially attributed to chargebacks and their associated costs.
“This series of breaches will likely hit businesses harder than consumers, especially when it comes to debit card fraud,” said Jani Gode, vice president and division manager of the risk management and payments group at SightSpan Inc., a Mooresville, N.C.-based global management consulting group and financial crimes solution provider.
She added, “Small businesses may find funds frozen for some time, resulting in an inability to pay vendors, employees and meet other operating needs. Imagine a small business that needs to make payroll with its funds frozen for a two-week investigation – that could be devastating.”
Businesses could also be impacted more harshly because it may be easier to hide fraudulent transactions on a business account versus a consumer account, Gode said. Businesses also typically have many more transactions and each transaction amount could be much higher, she noted.
Meanwhile, credit unions continue to keep a keen eye on the fallout from the Target breach with some responding quickly to the crime by replacing members’ cards. As for business members, the breach’s impact may depend on the type of account they have – for instance, whether it’s a corporate client or small business, said Jeannie Sugaoka senior vice president of support services at the $1.7 billion Technology Credit Union in San Jose, Calif.
“In general, though, the impact on a small businesses member account is the same as the impact for consumers. Many of our small business accounts at Tech CU are treated like consumer accounts,” Sugaoka said.
Under Visa’s zero liability policy, the credit union’s small business members will not be held accountable for any signature-based transactions they did not initiate on their debit card, Sugaoka explained. However, unauthorized PIN-based debit card transactions for business accounts would typically not be covered by the zero liability policy but would be subject to the liability limits policy of their specific financial institution.
Most, but not all, financial institutions go beyond what regulations require and limit debit card liability to $50 for unauthorized use of a credit card before notification to the card issuer, Sugaoka added.
Following the Target breach, Sugaoka said, Tech CU investigated its card data and notified affected members to determine if replacement cards were needed. The credit union also encouraged both individual and business members to check their accounts via online or mobile banking and to let the cooperative know about any suspicious activity. A few clues that a business’ system may have been hacked include changes in a computer’s performance, loss of speed, unexpected re-booting and pop-up messages, Sugaoka offered.
Next Page: Lawyering Up
Besides financial losses that can stem from a breach, businesses may also face consumer and class action lawsuits, said Mike Angelinovich, CEO of OHVA Inc., a security service provider in San Jose, Calif. Likewise, Reputation is also at stake, he emphasized.
“Businesses have so many accounts, it’s more difficult to monitor and once they determine a fraudulent hit, it becomes much more costly to notify customers, cover costs to address customer credit bureau activity and then put in place additional security enhancements,” Angelinovich said.
If such a large chain like Target can be easily hit, Angelinovich pointed out, smaller stores and businesses accounts using debit and credit card transactions with, more likely, less security in place, are even more vulnerable.
“Looking back on the history of online banking attacks, it was the large banks that were hit initially and then as they increased their security, the hackers started focusing on smaller banks and credit unions. I would think that the trend will be similar for small businesses,” Angelinovich said.
Some of the protection solutions used for businesses are the same for consumers such as detection monitoring, anti-virus software and strong multi-factor authentication solutions, Angelinovich said. Still, many additional protection solutions are required for businesses such as VPN system access controls along with hardware system solutions to protect internal storage systems, for instance.
Since commercial bank accounts do not have the insurance coverage that consumer bank accounts have, Angelinovich urged the use of a strong multi-factor authentication solution with additional security layers in place as required by the Federal Financial Institutions Examination Council.
“MFA solutions using an IP address or a cookie are not secure enough against today’s online exploits,” Angelinovich said. “I would also suggest a second authentication prior to any online account money transfers, followed by an old-fashion phone call to the credit union. For commercial accounts, I would stay clear from using mobile banking, as security is still weak.”
At Tech CU, business and individual members have access to several tools to help spot suspicious transactions, Sugaoka said. The credit union offers free eNotifications for small businesses and individuals on account activity. Tech CU’s larger corporate clients use a different online banking system.
Through mobile banking, members can also monitor account activity, check balances and view account history and spending pattern graphs, which can help members report anything that is out of the ordinary as quickly as possible. Tech CU also provides a fraud and security resource page on its website that includes the latest member updates and fraud prevention news.
Gode said the Target breach could reverberate for some time to come.
“I believe the bigger fallout will be Congress investigating and prompting stronger controls at retailers and a push to EMV implementation, the SightSpan executive said. “By all accounts, Target was (Payment Card Industry Data Security Standard) certified, but that did not seem to protect them. It will be interesting to see what other merchants were impacted.”