If you have the ability to access your computer system from an offsite location, the use of the technology that provides you “remote access” is usually a godsend. It can eliminate the need to drive back to your office or store to solve a problem there. It also saves time in case your computer or POS vendor needs to run an update or solve a more significant issue.
But there is also a serious potential downside.
Because remote access is, in essence, a back door to get into your system, the bad guys also can get in under the wrong circumstances and create mischief or cause you serious financial damage.
If they do get in, chances are it is not because of something you have done (other than giving keys to trusted vendors or other “partners”), but something that one of those “partners” has done.
In more and more cases, retailers using POS cash register systems that also handle merchant processing transactions have had data breaches because a “bad guy” hacked the system of one of their vendors.
How do bad guys gain entry to your system from your vendor’s? The hacker lurks on the vendor’s system until the vendor accesses your system for a legitimate reason. And when the vendor does that, it’s like giving the bad guys a copy of the keys to your back door. At some point in the future, the hacker will enter to create havoc.
In one recent case, a retailer’s system was accessed in just that manner, and the retailer ended up with about 2,000 card numbers exposed. When that happens, unfortunately, the card associations look to the retailer for compensation because the retailer is the “merchant.” Any contract the retailer has with the vendor does not normally include the card association.
What that means is that the retailer, in most cases, ends up paying the bill and having to collect from the vendor — but only if the retailer’s contract with the vendor allows for that. In some cases, because the bad guys don’t usually “hack” just one system, the vendor ends up with hundreds of client data breaches.
If you have a POS system that allows for remote access, you should talk with your IT specialists to determine the best way to protect your data from this type of hack. You should also review the business case for each point of remote access and ask yourself, “do I really need this turned on?” In some cases you may find that the risk is simply too great.
The risk is great because the cost of one of these data breaches can easily run into the tens of thousands of dollars.
In today’s economic climate, most businesses would have trouble coming up with that kind of money – most commercial insurance doesn’t cover that type of loss. In the case of merchants who process with Michigan Retailers Association, we automatically provide (as part of the normal monthly fee you pay for merchant processing) $100,000 worth of data breach coverage, just in case “bad things happen to good people.”
Even if you process with MRA you should still have that conversation with your IT folks. If you process elsewhere and don’t have this kind of data breach coverage, you should ask about it right away or give us a call.
John Mayleben CPP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He is the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.