Small businesses are more at risk of data theft, fraud, and misuse than their larger counterparts1.
In 2021 and 2022 respectively, 46% of all data breaches2 and 82 of ransomware attacks3 affected businesses with fewer than 1,000 employees.
The most common financial data security risks for small businesses are malware, viruses, ransomware, and phishing attacks. Cyberattacks have spiked since the onset of COVID-19, chiefly due to the rapid expansion of unsecured networks, increased use of personal devices, and lack of data monitoring associated with remote work4.
According to IBM4, the top data breach access vectors include:
The principal motivation for hackers is financial gain, making payment data an obvious target.
The average cost of a data breach is now nearly $4 million globally, a figure that has risen 12% in the last five years7. When a Colonial Pipeline staff member’s login information was stolen on the dark web in 2021, the company was forced to shut down pipelines supplying 45% of the east coast’s fuel and pay a $2.1 million ransom in cryptocurrency to the hackers4.
All businesses storing or using customer payment data must meet Payment Card Industry Data Security Standard (PCI DSS) financial data security compliance requirements. If a business is unable to demonstrate compliance, it could face fines and investigation, class-action lawsuits from unhappy customers, and government penalties.
Further risks include reputational damage and negative press. One study found 65% of data breach victims would lose trust in an organization if it fell victim to a data breach, while 80% stated they would move to a competitor8.
Hackers use customer payment data, payroll data, and login details to make fraudulent purchases or access bank accounts. They also use social security numbers, names, and dates of birth to access health insurance or benefits in someone else’s name, apply for fraudulent passports and ID cards, and access someone else’s credit to take out loans.
Additionally, financial data has value to other criminals. Hackers can sell credit card numbers and identity information on the dark web for high prices. According to current estimates, stolen information can be worth anything from $65 to $120 per account9.
To securely accept customer payments, a business must meet 12 PCI DSS requirements for financial data protection. These include building and maintaining a firewall-protected network, regularly testing it, and restricting access to the data it stores.
Businesses are also required to use encrypted payment gateways and tokenization for card data protection.
Shared data is vulnerable data.
For this reason, businesses should only work with reputable vendors that take payment security seriously. Otherwise, they risk being affected by a breach a third party is responsible for. Third-party payment processors should encrypt and tokenize data as standard, monitor and update systems, enthusiastically comply with financial data security regulators, and preempt risk.
A clear data retention and disposal policy is essential for thorough data management, regulatory compliance, and effective disaster recovery. Demonstrating how, when, and why a business processes data will also win the trust of customers and clients. This living document should be updated as regulations, storage environments, and backup solutions change.
According to the PCI DSS, businesses of all sizes should store as little financial data as possible and delete it when the minimum retention period has passed, unless there is a valid reason to retain the data. This reduces the number of customers harmed if data is stolen.
Compliance helps financial data security to be rigorous and standardized, which lowers a business’s data breach risk level.
Different businesses need to meet different national and international data regulations, based on where they are regulated. For example, medical businesses will be required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Businesses operating in Europe, meanwhile, will need to comply with the European Union’s General Data Protection Regulation (GDPR). Know Your Customer (KYC) and Anti-Money Laundering (AML) laws also require businesses to verify their customers’ identities and report any suspicious behavior.
Continuous monitoring of financial data helps businesses identify breaches, manage risk, and instigate disaster recovery quickly. A well-defined incident response plan can prevent data loss, save time and money, and create a more secure and compliant data storage environment going forward.
A clear data audit trail can also help businesses comply with regulatory requirements. Intrusion detection systems and security event monitoring will spot malicious activity in a business’s network and monitor data security in real time.
In the event of a financial data breach, businesses should:
● Secure systems and fix vulnerabilities
● Prevent additional losses
● Work with data forensics specialists
● Understand legal and regulatory requirements
● Develop a communications plan to inform customers, staff, and third parties
Financial data security compliance is the responsibility of all businesses. Clear regulatory requirements, comprehensive audits, and practical recovery processes can help to protect both small businesses and their customers from potential hackers.
Sign up to PayPal for Business to keep your customers’ financial data secure and access smart risk management technology.
In partnership with three expert business owners, the PayPal Bootcamp includes practical checklists and a short video loaded with tips to help take your business to the next level.
We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies