In today’s economy, accepting credit cards is essential to your small business’ success. But what you may not know is the impact payment security can have on your ability to stay in business.
Data security breaches continue to make headlines nearly every day. A breach can:
- Erode consumer confidence in your business
- Cost thousands of dollars in fines and penalties
- Make you vulnerable to legal actions
- Prevent you from future credit card acceptance
According to the 2015 Verizon PCI Compliance Report, 69% of consumers are hesitant to do business with a breached organization, and 60% of small businesses close within six months of a breach.
Avoiding a breach and reducing payment fraud requires proper technology and vigilance. Let’s walk through five major ways to help mitigate risk and avoid experiencing fraud and data compromise.
EMV is the global standard for authenticating payment cards that have an embedded microchip, also known as “smart cards” or “chip-and-PIN.” While EMV chip cards look just like standard magnetic-stripe cards, they contain a microprocessor, or chip, that enables each transaction they initiate to carry a unique cryptogram. That cryptogram is validated by the issuer, and it’s difficult for criminals to break it and steal card information for counterfeit use.
1. Reduce Fraud With EMV Technology
EMV has been in use in the UK since 2004, and card-present fraud has gone down by 80%, according to a recent Accenture report. During that same time period, fraud has increased in the U.S. by nearly 70%. By implementing EMV here in the U.S., payment experts expect to see that number plummet as it did in the UK.
Using EMV technology to process payments can help protect your business from fraud. When a chip card is presented for payment, the customer dips their card in the EMV terminal and is then prompted for a signature or PIN number. This ensures that the card is legitimate and that the person using the card is the authorized user.
Beginning October 1, 2015, if you do not process a chip card with an EMV-capable terminal, and the transaction turns out to be fraudulent, you may be held financially liable for that transaction.
2. Protect Data in Motion With EncryptionWhen you process payments, your POS system or terminal handles sensitive credit card data. After a card is swiped, the card number is recorded in clear text for a second before the POS encrypts or masks it. When that data is stolen, it’s considered a data breach. Considering the number of cards you may process in a day, week or month, you’re sitting on a virtual gold mine that hackers want to get their hands on.
You can help prevent thieves from accessing that data by using card data encryption, also commonly referred to as end-to-end encryption (E2E) and point-to-point encryption (P2PE). Encryption technology encrypts card data from the moment it’s swiped or entered, until it reaches the authorization location, such as a payment processor. Card data is secure for the duration of the transaction. If a breach occurs, and data is stolen, it will be useless to thieves in its encrypted state.
3. Protect Data at Rest With TokenizationTokenization keeps sensitive data out of the reach of cybercriminals by replacing actual data with dummy text and meaningless characters. This can be useful to businesses that need to store a certain amount of sensitive card data for functions such as recurring billing or tip adjustment. Tokenization is one of the most effective and affordable ways for merchants to protect sensitive card data.
When a card is swiped, a token is automatically generated and submitted for approval. Then, a token is returned to the POS system with the transaction authorization approval response. The token essentially renders the sensitive data useless beyond that unique transaction. The substitute value can, however, be used for follow-up transactions.
Combining encryption and tokenization is perhaps the strongest measure you can take to help protect your business from the devastating effects of a data breach.
To reduce the risks of having your system hacked and data stolen, adhere to these security best practices:
4. Secure Your POS Environment
- Set up a firewall so your POS and router are separate from other systems that access the internet. Never use your business POS for casual internet surfing, as doing so can introduce vulnerabilities to your system.
- Use two-factor passwords, and change them at least every three months. Be sure to assign separate login credentials to each user, and forbid the sharing of login information. Make sure you keep the user list updated so that accounts are disabled as soon as they are no longer needed.
- Limit remote access to only allow people with a specific and clearly identified business need to access your system. Never leave remote access software on and unattended.
- Keep anti-virus programs installed and up-to-date. Regularly run and review results of scans for malicious software.
- Train your staff to be on alert for unauthorized skimming devices installed on the POS or credit-card terminal. Skimming devices are small and can be illegally installed to gather card data with each card swipe.
5. Get Professional Help With PCI ComplianceMaintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS) is a requirement for every business that accepts credit cards. Failure to do so can land your business in hot water if a breach occurs.
PCI compliance is not a one-time event. It’s a continual process of making sure your systems are appropriately handling sensitive data, your business practices are secure and your network is locked down. Compliance requires vigilance and a certain amount of know-how.
Compliance can be achieved independently. However, it’s much simpler and arguably more effective when you use a compliance assistance service. Compliance assistance helps by:
- Performing scans of the network to identify vulnerabilities
- Monitoring network activity
- Providing tools and resources to promote and determine compliance
Some compliance assistance services also include breach protection. Depending on the terms and conditions of a particular breach assistance program, these types of services typically provide for reimbursement of certain card brand fees charged for a data compromise. They help cover costs of a data breach, which can be upwards of $100,000 or more.
Protect the Consumer, Protect Your BusinessWhen you take card data security seriously, you are not just guarding your customers; you’re also guarding yourself and your business.
But you don’t have to go it alone. A good payment processor can be your best ally against security threats. From integrated and compliant POS systems, to technologies like encryption and tokenization, all the way to compliance and breach assistance, a good payment processor is worth every penny when it comes to helping you secure your business against the devastating effects of fraud and card data compromise.
For tips on preventing credit-card fraud, check out our article on how to spot fake debit or credit cards. And to learn more about EMV and how it can help keep your business transactions secure, see our piece on EMV for e-commerce businesses and Intuit's guide to EMV migration.
Theresa Todman, Managing Partner/CEO of B&M Financial Management Services, LLC . Theresa specializes in bookkeeping, accounting, QuickBooks solutions, small business tax issues and consulting.