Matt Tomlinson: Credit Card Breaches

Don’t be the criminal hacker’s next “Target.”

M. Jay Heilbrunn, The Distribution Board

“Because that’s where the money is.” These were the words supposedly uttered by the infamous bank robber Willie Sutton when a reporter asked why he robbed banks (although Sutton later denied ever saying this). Throughout history, it can be implied that this is the reason that any bank robber, or other thief, would target a specific location.

Today, this rings true even in the cyber world where business computer networks are breached almost daily. This high-tech cat and mouse game has very real world consequences for the victim business, both financially and via reputation. One in five businesses fail as the result of a data compromise. The thief, on the other hand, has a much lesser risk of even being identified or apprehended, which is one reason why cyber crime is so prevalent.

You’ve likely read about the Home Depot and Staples breach, as well as the Target breach that occurred during the holiday shopping season in 2013, which compromised  approximately 70 million credit card numbers and customer information records.

How hackers targeted Target

The data was stolen from Target’s computer network via malware (malicious software) called Ram scrapers or memory parsers. These types of tools allow attackers to “scrape” credit card data while it momentarily rests unencrypted in a computer’s or POS system’s RAM memory without effecting the legitimate sale transaction. This can be done even if the merchant does not store the credit card data long term.

We often see the same reasons behind computer network breaches: simple passwords that can be easily “brute forced,” or guessed with dictionary-based password guessing software, or improperly configured remote access (such as for bookkeeping) in which the remote access software may still have the default password enabled.

If you own or run a small or medium business (SMB), you may not think of your business as a “Target” (no pun intended) for hackers, but the opposite is actually true. In fact, most industry statistics tell us that over 90 percent of current breaches are to SMBs. The U.S. National Cyber Security Alliance found that some 60 percent of those small businesses go out of business within six months after an attack.

We often see hackers looking for the path of least resistance and this is often SMBs, due to the perceived notion of lesser security. After all, if you were a bank robber, would you rather go after Fort Knox, or a small financial institution that likely doesn’t have as many levels of security in place?

Protect Yourself with PCI

So you may be asking, “How can I reduce the chances of my business getting breached?” The answer is through PCI compliance.

PCI is a data security compliance framework that was built by Visa, MasterCard, Discover and American Express and is maintained to help businesses secure their computer networks against credit card compromises. It is not a guarantee that your business cannot get breached, but it represents the minimum best practices based on the current threat environment.

Depending on how you accept credit cards and how this data may flow through your computer network, achieving PCI compliance may have certain challenges and may require technical assistance, but it is effective at its goal of protecting credit card data. Like many compliance frameworks, PCI is designed to help reduce your risk by reducing the chance of a computer breach, thereby protecting your brand and reputation.

The PCI requirements update every three years and version 3.0 is upon us. All businesses are required to migrate to the new version during annual PCI renewal. There are other requirements within the new standard that may impact your PCI compliance validation. A good resource is a recorded webinar from Trustwave in which they discuss the changes and how to prepare for them. The webinar, which lasts about 30 minutes, can be accessed at

Wind River Financial runs a program called PCI Partner in partnership with Trustwave, a data security company, which helps our customers achieve and maintain PCI compliance to reduce data breach risk. This is done by working through a compliance questionnaire on a web portal. This process helps identify any vulnerabilities or weak spots in your computer network or in business practices.

In addition, Wind River also provides Breach Protection which offers up to $100,000 in recovery if your business should experience a data breach. We encourage you to take the time to get through PCI validation and make security business as usual. Don’t be easy prey for hackers that are just looking for an easy “Target.” CS

Matt Tomlinson, CPP, is director of sales for Wind River Financial. Tomlinson can be reached by email at or online via the website at