Several local banks and businesses are taking extra precautions and reviewing procedures in the wake of a data breach that affected millions of customers who used credit and debit cards at Target stores during the Christmas shopping season.
After the security breach at Target was announced, First National Bank of Durango account analysts found 422 of its customers had used credit or debit cards at a Target store in the two weeks after Thanksgiving – when the breach occurred, said Mark Daigle, the bank’s chief executive officer.
The bank sent letters to customers with compromised accounts and reduced their spending limits to $1,000 a day, he said. Other banks lowered customers’ daily limit as low as $300, he added. First National is monitoring those 422 accounts for suspicious activity, he said.
“It’s a manageable number, and it’s the kind of service that you would expect from a community bank,” Daigle said.
Target and federal officials are investigating a breach of the retailer’s financial data system. Thieves were able to collect encrypted PINs, customer names, credit and debit card numbers, card expiration dates, and the embedded code on the magnetic strip on back of the cards were stolen from customers who used credit and debit cards at a Target store between Nov. 27 and Dec. 15.
Daigle offered some advice for credit- and debit-card users to help reduce the threat of becoming victims of data theft.
Foremost, he said, users shouldn’t use easily guessed PIN numbers such “1234” or family members’ birthdates. People shouldn’t write their PIN numbers down and leave them in their purse or wallet either, he said, adding that is a common mistake people make.
It’s also crucial for people to monitor their bank transactions and report any suspicious activity promptly, he said.
Daigle also suggested that card holders write “see I.D” on the back of their credit and debit cards urging merchants to ask for identification to verify the person using the card is the owner.
The threat of security breaches like the one that affected about 40 million Target customers requires local businesses to be on guard, too.
Businesses use point-of-sale software to protect their customers’ credit-card information, said Jim Maloney, chief information security officer for Durango-based Mercury, a payment-processing company.
Malonye said the Target incident wasn’t a wake-up call for his company, but it serves as a reminder that Mercury needs to work closely with its clients to prevent security breaches.
Secure point-of-sale systems can help keep people’s credit information safe, but merchants have to do their part to help protect themselves and their customers, he said.
That joint effort is apparent at Pine Needles Mountaineering on Main Avenue.
Co-owner Ashley Gonnella said the store’s point-of-sales software doesn’t retain customers’ full credit-card numbers. After transactions are complete, the store has access to the last four digits, so it can track orders and handle returns, she said. That means that if any hackers manage to break into the store’s system, they wouldn’t gain access to any useful credit information, she said. The store’s employees also aren’t able to access customers’ credit information, she said.
That’s also the case at Lost Dog Bar & Lounge, said owner Ann Morse. The bar uses a point-of-sales program called Aloha by Kosh Solutions, a competitor to Mercury. Morse said IT employees from Kosh come in frequently to update the software and check for bugs.
The system does not store customers’ credit-card numbers, so they aren’t available to employees or hackers.
She said because her business is small with only about three people working at a time, monitoring credit transactions is not difficult.
Judi Miller, who owns the Durango Lodge on East Fifth Street, said her system saves the last four numbers of a credit card when reservations are made online. Full payment isn’t processed until a guest checks in.
Daigle believes that most online retailers have developed sufficient security systems for safely processing cards. And the Target breach shows that shopping in brick-and-mortar stores isn’t a guarantee against data theft, either.
“Bad guys are going to find ways to get information,” he said.
The best protection is for credit and debit card users to maintain control of their personal information and limit who has access to it.
He also said that banks never ask their customers to send confidential information through email. However, if a customer does believe they have been victimized by a phishing scam, Daigle said they should not be embarrassed to report the incident.
vguthrie@durangoherald.com
How to keep your business’ data safe
Herald Staff Report
Jim Maloney, chief information security officer for Durango-based Mercury Payments, offered these tips on how small businesses can keep their credit information safe.
If your point-of-sale software is installed on general purpose hardware such as a PC, do not use that PC for general Web browsing or for email.
Install anti-virus software and keep it updated. Check for new virus signatures at least weekly.
Use an up-to-date, vendor-supported operating system. Check for new patches weekly.
Use strong passwords of at least eight characters that are hard to guess.
Change any default passwords on purchased network and point-of-sale devices.
Use a firewall between your store’s network and the Internet. Disable any remote maintenance access to point-of-sale devices.
Password protect any wireless routers and use encryption features.
Do not store any sensitive cardholder data on computers or on paper.
Make sure all your employees are aware of the importance of protecting sensitive data associated with your customers and your business.
