ETA Expert Insights: Why Security Matters for Small Business Leaders

By Jennifer Reichenbacher, SVP Channel Marketing at PaySafe and Chair of the ETA Retail Technology Committee, and Russ Palay, VP Product at Nuvei and Vice Chair of the ETA Retail Technology Committee. 

Welcome to a new series from the ETA Retail Technology Committee. We focus on retail technology and security, especially for small business owners and ETA member companies that support this incredibly powerful retail audience. In the following piece, we unpack the ‘Why?’ for small businesses and retail payments technology. This series will continue online in the coming months with additional insights and articles geared to our small business audience and further unpacking retail security. 

Our 30 million small businesses in the United States (U.S.) are a powerful force in retail. Small businesses employ 59 million people in the U.S., or 47.5% of the workforce and they’ve been responsible for over 60% of new jobs in the U.S. since 1993. Many small businesses are also at the forefront of innovation as technologies unlock new ways for consumers to locate and purchase the products and services they need. Think of the food truck that accepts card and mobile payments with a simple dip or tap where just a few years ago they were likely only accepting cash. Think about the corner store with a sleek tablet that remembers your unique loyalty number and emails you a receipt, or the craft-maker who can sell her goods to anyone in the world with a few clicks of a button. This is the payments world today. New retail technologies expanding the opportunities for small businesses: in store, online and/or on the go.

Businesses that accept electronic payments are safer and better off than businesses that only accept cash. Electronic payments are transparent, traceable, and equipped with many layers of security protections. But this doesn’t mean that, if you’re a small business that accepts electronic payments, you can stop caring about security. In fact, you play a critical role not only in keeping your own business safe, but in ensuring the safety of our entire commercial ecosystem.

The stakes are high. The average cost of a retail data breach in the United States is $5.9 million and rising every year. While this estimate varies depending on the size of the data breach and the organization, a survey by Bank of America Merchant Services (BAMS) found that nearly 40% of SMBs that experienced a data breach faced said the incident cost them more than $50,000. The average cost per record breached is $233, according to estimates from IBM. Most worryingly, about 43% of all cyberattacks are estimated to target small businesses. The same BAMS survey also found that 22% of consumers who had personally had their information stolen would not shop at a small business that had experienced a data breach.

And it doesn’t stop there. As more and more personally identifying information (PII) is exposed in online data breaches, it becomes easier for criminals to fabricate new customer identities and use those to perpetrate more fraud. This is known as synthetic ID fraud. By some estimates, up to 1.5 million consumers have had their stolen PII used to create fraudulent new accounts. When other businesses suffer data breaches, they leave everyone more vulnerable.

Data breaches are responsible for a huge swathe of ecommerce fraud. And ecommerce retail tends to be more vulnerable to fraud than brick and mortar retail. But even if your business does not accept payments online, you may still be vulnerable to fraud. LexisNexis estimates that for every fraudulent dollar spent, a small brick and mortar retail merchant will lose $2.66 while a small ecommerce merchant will lose only $2.38 in total. Merchants selling digital goods face a much higher fraud multiplier – for every fraudulent dollar spent, a retail merchant selling digital goods loses $3.56, while an ecommerce merchant loses $3.40.

And you may be liable for the cost of that fraud. Starting in 2015, the major card networks imposed a fraud liability shift in the U.S. In a nutshell, merchants who do not accept chip cards (EMV^®) are liable for any fraud that would have been prevented by using those chip cards. This is because traditional magnetic stripe cards are extremely easy to counterfeit. They use the same technology as a video cassette. The stripe on the back of such a card contains all the cardholder’s information – name, card number, expiration date, etc. – in a static, easily readable format. On the other hand, the chip in a chip card contains a microprocessor that generates a unique, one-time code for each payment transaction. The chip is incredibly hard to counterfeit. If a criminal tries to use a counterfeit chip card on a terminal that accepts chip cards, the terminal will recognize the transaction as fraudulent. On the other hand, if the merchant’s terminal does not accept chip cards, then that counterfeit card transaction would go through unimpeded and the merchant would be liable for that fraud. Here’s another way to look at it:

Card fraud is expensive and inconvenient. To combat it, the payments industry has developed standards and requirements to keep the ecosystem safe. These work in tandem with government regulations, but the result is that merchants who accept credit or debit payments must comply with a vast and complex set of rules and requirements. Your merchant acquirer and their agents and representatives can provide guidance and streamline the process, but much of the compliance still falls on the small business owner or manager. And failure to comply could result in fines levied by the card brands and/or even losing the merchant account. Your merchant acquirer partner should be a valuable partner in this process.

The cost of data breach, the cost of in-person fraud, and the potential of termination are three major reasons why SMBs must care about security. Let’s call these the “push” factors. What are the “pull” factors – the benefits of caring about security? There are many. Consumers care about retail security. More and more consumers are opting for security measures like multi-factor authentication, and/or biometric authentication. Demonstrating a strong culture of security and good data governance builds consumer trust and attract new customers.

Consumers also care about convenience. New payment technologies tend to combine a seamless experience with higher security. After all, wouldn’t most of us rather unlock our phones with a fingerprint rather than entering a cumbersome password or PIN? New security technologies work in the background. Instead of entering a one-time code for every single transaction, the consumer only needs to do it if the transaction is flagged as suspicious – for instance, if their card is used in Topeka but their phone is in Toronto. Keeping up with the latest innovations in security saves your customers a lot of time and effort – and turns them into regulars. Every merchant will have different security needs, but security is everyone’s concern, and collaboration is in our best interests.

We encourage you to share this piece with your merchant base.