What are the best standards and practices to make sure your customers’ credit card data is safe and secure?
Credit and debit cards have become so ingrained in our daily lives and communal societies that they have become one of those things we take for granted. Like plumbing, electricity, or other major systems we use every day, we only notice how intricate something like credit card security is until it goes wrong.
And if you’ve been paying attention to the news over the past few years, that’s been happening quite a bit. Between the Target credit card breach in late 2013, the Michael’s breach in spring of 2014, and the Home Depot breach in fall of the same year, retail outlets have received a lot of bad publicity of late for allowing their customer’s information to be stolen.
Some small business owners might look at those three major retail attacks and wonder, “If a retail chain the size of Target or Home Depot can’t keep their customers’ data safe, what hope do I have?” While that isn’t an entirely unreasonable question to ponder, there are two things to first consider:
- Major retail outlets are often the target over a small mom-and-pop store simply because of volume – if you’re a hacker, you want to devote your resources to where you’ll have the highest ROI, and considering the Home Depot attack netted some 56 million credit cards over a five-month period, your average small business outlet doesn’t come anywhere near that in terms of transactions.
- We won’t get into the cyber security nitty-gritty of how these breaches were carried out, but it’s safe to say that there was some fairly sophisticating programming and hacking at work, meaning that for the majority of vendors, following some basic yet solid best practices can go a long way toward protecting your customers.
Speaking of best practices, as a small to mid-size business that handles credit card transactions, there are definitely some broad stroke guidelines you can adhere to in terms of card security. Understanding that no entity is ever 100% secure or impossible to breach, following these rules (via the Payment Card Industry Compliance Guide) will minimize the risk you put your customers in front of.
- Establish Firm Responsibilities for Personally Identifiable Information (PII): Although when most people think of credit card breaches, the image of the account numbers on the front of the card along with the expiration date are what they conjure up. But in reality, Personally Identifiable Information (or PII) can be any data that may be used to determine your identity. Along with your credit card information, PII may also include your name, address, birthdate, email address, social security number, and more.
That means you might have your customers PII in-house without ever processing a transaction (if they signed up for an email newsletter, for example, you would likely have their name, email, and possible phone number and address). The PCI Compliance guide recommends “…creating a simple spreadsheet that documents the various types of sensitive data your business is handling, its location, and who has responsibility for it.”
- Securely Store PII – Or Preferably, Don’t Do It At All: It makes sense that if your business stores less PII from your customers, they are at a reduced risk of having that information compromised or stolen. It might not be totally feasible to have all cases of PII storage removed, but if you did create the hypothetical spreadsheet in guideline number one, it would be helpful to comb through each line or column of PII and determine what’s absolutely, 100% necessary.
Once you have the bare bone essentials, take the steps to make sure that data is secure. Store it in a way to where you know exactly who has access to it and give everyone unique log in information so any potential issues can be traced to a single user. Consider implementing some type of encryption for the PII data so if an entity was able to hack their way in, the PII would be increasingly difficult to ascertain.
- Ensure Your Internet and Intranet are Both Secure: Offering free wi-fi to your in-store guests is a nice touch and something that will go a long way toward building up good will with your customers. However, unsecured networks or those that don’t have proper firewalls set up are a huge risk factor. Again, we’ll not dive into the technical details of how to properly set up your network, but securing both your internal network as well as any outbound customer networks in-store is crucial. If you have an IT person, they’ll be able to set it up for you in the proper fashion. If not, or if your business operates online and takes credit card payments via an e-commerce system (which complicates matters a bit), it’s definitely worth paying to outsource the initial setup to an individual or firm that has experience in dealing with firewalls and network security.
- Train Your Employees: Several studies have shown time and time again that the biggest risk to your company’s cyber security footprint comes from within. Most of the time it’s unintentional – for example, an employee accessing internal sensitive work information from an unsecured network. He or she is at a coffee shop and using a router that a hacker has already bugged, and your employee’s log in information is quickly and easily gleaned.
Making sure your employees know the basics of security when accessing any device or network that has card information on it or other PII is key. All computers should have regular updates and anti-virus protection installed, and only approved devices should be able to access networks with sensitive data.
- Ensure Your Vendors Know Their Stuff: It’s one thing for your business to have its ducks in a row, but what about your partners? In today’s world it is increasingly common for merchants to outsource many or all of the components involved in processing credit card information and transactions. If that applies to your business, you must ensure your provider is PCI compliant – like Valued Merchant Services. We are a nationwide provider of card processing services and have helped businesses both small and large with a 99% merchant approval rate. What’s more is that we GUARANTEE to save you money on what you’re currently spending on processing. If not, we’ll give you $500, simple as that. Learn how today.