MSPs: Your Retail Client Had A Credit Card Breach, What Do You Do Now?
If a retail client contacts you because they recently had their customers’ credit card information stolen, you should have no problem sensing the panic in their voice. Understandable, especially considering that a credit card breach can be incredibly devastating to a business of any size—just think of the headlines that Target’s recent credit card breach resulted in.
Because small businesses have a smaller customer base and depend upon the loyalty of those customers, incidents like this can be even harder on them. But restoring a customer’s faith is possible, especially with a winning combo: smart PR and an advanced security suite that ensures full compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Whether this is a client you’ve been working with for a while, or (perhaps more likely) one that’s contacted you as part of the emergency clean-up, your role as a skilled MSP is to lead them along the road to credit card breach recovery.
First things first: after telling the appropriate authorities, your client is going to have to notify each and every customer about the breach, and the extent of the information that was compromised. Now, I’m a security guy and not a PR rep, but I’d imagine that shortly after notifying each customer, a heartfelt apology email should follow and include a genuine written commitment to aggressively and proactively secure the network, finding and removing the loophole that allowed for such a breach.
Now it’s time to sit down with your client and assess where they are, in terms of PCI compliance. How did the breach occur? What can be done, immediately, to rectify the situation? If your client were to face a PCI audit tomorrow, how would that go for them?
Chances are, if they had credit card information stolen from them, they weren’t PCI compliant to begin with, and there’s more than one loophole in their security policies and protocol. If they have any hope of rebuilding their business and customer base, they need to get PCI compliant—and fast. Acting proactively will also help in terms of the major credit cards bringing down the axe (dishing out fines, refusing to process transactions, etc.). If your client can show they are taking serious steps to ensure a credit card breach never happens again, they’ll be in a much better position to argue their case.
Fortunately, today’s advanced security software suites offer a fast and easy solution for full PCI compliance. With an effective password management/ network security suite, you can set up your system to meet PCI requirements in all areas:
Passwords: Use your password management system to enforce a strong password policy with password templates and auditing.
Access control: Ensure that only users who need access to cardholder information for their job role can access it; easily change permissions should a user separate from the company or switch job roles
Require two-factor authentication for off-site access: Users who are trying to access the network off-site will need to present not only their passwords, but also another security “factor,” like a fingerprint scan or (more affordably!) a one-time code generated from a secure mobile app on their smartphone. Two-factor authentication is important, as it makes a network much more impenetrable to an outside attack—even if a hacker gets their hands on a password, they won’t be able to present the needed second security factor.
Auditing and reports: Your program should generate and store detailed reports of network activity and security-related events (like failed logins, etc.), so that any incident can be easily tracked back to a specific user.
Dealing with the aftermath of a credit card breach is never easy, but following PCI best practices—and continuing with those best practices long after the breach—is the best way to repair the reputation of your client and secure your role as rock-star PCI compliance expert.