Data security challenges small firms.

According to a recent survey conducted by Visa USA and the National Federation of Independent Business (NFIB), 57 percent of small businesses do not consider securing customer data something that requires formal planning, and 39 percent said they rely on common sense to keep data safe.

With the frequency of data breaches today, that's just not good enough. Visa recently announced a program to help U.S. small businesses improve their security by urging them to reduce the data they store.

"Data security breaches involving payment card information occur at small businesses more frequently than at all other merchant levels combined," Michael E. Smith, Visa USA senior vice president of enterprise risk and compliance, said in a release.

Visa and NFIB have partnered to educate small businesses on data security threats and how to successfully avoid them. As part of their efforts, Visa and NFIB have developed free educational materials and tools, available at www.nfib.com/object/IO_ 32561. html, to help small businesses protect themselves from data fraud.

Visa said small businesses should evaluate all cardholder data that they currently store. Visa's campaign to educate merchants about cardholder data security stresses the message, "Don't store it if you don't need it."

"Minimizing data storage is the easiest thing a small business can do to mitigate risk," Smith said.

Visa's program also calls for acquiring financial institutions (those that contract with merchants for acceptance of Visa card payments) to strengthen their existing data security efforts to identify and address risks among their small merchant customers, including identifying whether merchants are storing sensitive account data and are complying with the industry-wide Payment Card Industry Data Security Standard, a mandatory compliance guideline developed by the major credit card companies to help organizations that process card payments prevent credit card fraud, hacking, and other security threats.

[ILLUSTRATION OMITTED]

Acquirers were required to provide Visa with a summary of their small merchant compliance plans by July 31, 2007. As part of their plans, acquirers must explain how they will identify where the greatest potential security risks exist in order to manage them. According to Visa, factors such as the likelihood of sensitive data retention, transaction volume, market segment, acceptance channel, number of locations, and other factors can help qualify or quantify the merchant's risk level and may be used by acquirers to categorize merchants into specific risk groups.

Visa also is asking acquirers to verify that small businesses are not retaining prohibited cardholder data (including magnetic stripe and PIN data) after transaction authorization. "This is precisely the kind of data most sought by hackers because of its use in counterfeiting payment cards," said Smith. "Merchants who store this sensitive data are placing their businesses in the cross-hairs for today's data thieves,"

In some cases, small businesses unwittingly store prohibited cardholder data because the systems they use to process payments store it by default. To avoid that problem, Visa strongly recommends that acquirers make merchants aware of its list of payment applications that have been validated as being compliant with the Payment Application Best Practices, which can be found at www.visa.com/ pabp. Acquirers should also make certain that their small business customers do not use vulnerable payment applications that have been previously identified as storing prohibited data.