The Globe and Mail – 2013
While the economy has started showing signs of improvement, it still has a long way to go. During periods of stalled growth, small businesses look even more closely at their operations so they can maximize revenue streams. One often-overlooked area is payments security and compliance.
According to the Canadian Bankers Association, “banks reimbursed customers for more than half a billion dollars in losses as the result of credit and debit card fraud” in 2011.
Here are 10 tips to help small business owners increase their payments security awareness and protect their businesses.
1. Maintain PCI compliance. Being Payment Card Industry (PCI)-compliant is an absolute must. Make certain your payment processing software security is current and PA-DSS (Payment Application Data Security Standard)-certified, and that your business receives their PCI-DSS (Payment Card Industry Data Security Standard) certification. You have a responsibility to protect your customer’s credit card information, just like you should be protecting all of your customer data. The depth of the required PCI audit will depend on your business volume and systems, but a full PCI audit will offer a scorecard across your business’ payments environment and allow you to make critical changes before security holes are exposed by thieves.
2. Use end-to-end encryption for all sensitive data. End-to-end encryption (E2EE) essentially boils down to scrambling the data sent from one device to another. It starts with your payment capture devices and goes all the way to the transaction being authorized. E2EE technology prevents the card account data from being stolen electronically and lessens the cost and impact for your business to become PCI-certified. A company’s mobile payment devices, credit card terminals, software applications, and online payment portals need built-in encryption functionality when transmitting customer information. Your company should select a technically savvy payments provider that supports E2EE technology.
3. Carefully choose the location of your payment acceptance devices. Scammers often try to tamper with a business’ payment processing equipment in an effort to steal credit card information. Altered equipment usually consists of a small piece of hardware physically attached to the terminal itself. You should keep payment processing equipment in well-lit areas that are regularly monitored by your employees.
4. Educate employees to spot tampering. Employees should remain cognizant of the possibility of tampering. Make certain all employees tasked with the responsibility of accepting credit cards from customers have a working understanding of the looks and functionality of your payment processing equipment. An attentive employee who knows what to look for should be able to easily identify an extraneous device attachment or oddly functioning software.
5. Refrain from storing credit card numbers. To avoid one of the biggest PCI compliance risks, do everything in your power to not store credit cards numbers. Look for a payments provider whose platform is designed so credit card information is never stored at your business site or directly on your business software.
6. Use the cloud. Your provider should be able to process a customer transaction and then keep the customer’s card information in a secure “vault” in the cloud. They should provide you with an encrypted ID, so when you want to do another transaction for that same customer, your software can pass the encrypted ID to the payments provider. Doing this will eliminate the need for your company to directly access customers’ credit card information.
7. Keep up with the news. Stay up-to-date on recent credit card scams. Also, maintain awareness of any new software or equipment that might benefit your company in fighting scammers. Technology changes quickly. It’s imperative to give your payment processing equipment every opportunity to succeed in thwarting these criminals.
8. Deal with any breach. Even if all caution is used, and the best payment processing security is installed, a breach can still occur. If it does, you must have detailed credit card sales records to refer back to in order to retrace your steps and help determine when and where the breach took place. A proper assessment of the initial attack could mitigate the potential for additional losses and provide a trail back to the source of the breach.
9. Evaluate previous weak points. Simply rectifying a software, equipment or personnel security issue isn’t enough. You must assess any breaches and understand exactly how and why they transpired and then take steps to ensure fraudsters can’t utilize that same tactic again.
10. Take every precaution. It’s imperative to take the necessary steps to protect your company’s assets and security. If you think posting signage warning against credit card fraud, or reminding employees to stay vigilant, will decrease your chances of a breach, do it. If periodically walking the store floors to check the equipment might be of value, do that. Each precaution you take will make it more difficult for scammers to infiltrate your system.
Rob Bertke is the senior vice president of research &development at Sage Payment Solutions, the payments division for Sage North America, has been in the commercial payments and B2B e-commerce industry for more than 15 years.