As a small business, you can’t afford to lose any income, no matter how great or small. You make every effort to ensure your facility is secure during and outside of business hours; you protect your cash drawer from unwanted attention by placing it in a secure location and keeping it locked; you ensure all staff have restricted logins to view customer and business information.
But lurking in the Internet and other places are invaders who infiltrate small and large businesses, stealing payment data that is critical to customers, clients, and your business. Results of such activity, when it is successful, can cause you to lose members, data that is critical to your business as well as your customer’s bank account, and creditability and integrity as a business.
But how do you ensure payment security from start to finish for all payments processed at your facility?
Shared Responsibility Between You and Your Processor
Some payment security is done by your processor and merchant service provider. They have specific responsibilities in the chain of vulnerability to prevent unwanted access by invaders during their part of the process. Controls are put into place so that data such as credit card numbers, personal social security numbers and other information are protected. These controls are established and reviewed by the Payment Card Industry (PCI) Data Security Standards (DSS) organization.
But payment security begins and ends at your facility. For this reason, there are steps you and your staff can take to further ensure payment security within your facility.
Keeping Transactions Secure and Safe for You and Your Customers
According to the PCI DSS organization, sensitive data can be obtained from your location through:
- Compromised card readers
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden cameras recording manual entry of authentication data
- Your facility’s wireless or wired network
A lesser known concern that impacts vulnerability of data and transmission of data is age of computer hardware. Using unsupported or end of life hardware increases your payment security risk of being infiltrated by unwanted invaders.
If a product is no longer supported by its manufacturer, there may be a reason, such as inability to build improved security into the product. This is one time where checking out the latest and greatest has more reasons and benefits than just wanting the coolest toys! Ensuring your hardware is compatible and supported is a key piece of ensuring payment security during entering and processing.
Paper File Systems
If you have been using paper as part of your contract process, ensure that all personally identifiable data such as social security numbers, EINs and card numbers are redacted from paper copies.
Evaluate your security on paper systems as well. Are your file cabinets accessible by anyone? Are they behind locked doors? Are they located off-site where someone may gain access to them? All these are questions to consider when you evaluate your paper processes and needs.
Data In Online Payment Applications and Shopping Carts
Ensure that you are using current browsers and have a recent operating system that is compatible with the POS application. Check with the provider to verify your system is setup securely. Update your computer hardware and software, where necessary, to improve your ability to rely on the most recent advances in thwarting data breaches.
Avoid holding complete payment data such as the full credit card number or full social security number of your customers in any of your applications or databases. This places you at risk and requires you to comply with increased security standard measures.
Hidden Cameras Recording Data Entry
One simple step to help prevent a hidden camera or wandering eye from picking up protected data: when entering credit card data manually, protect the area in a manner similar to shielding a keypad when entering your PIN at an ATM.
Store Networks and Wireless Access Router Security
If you haven’t had a recent health check on your facility networks, consider having a third party review your setup and provide recommendations to ensure your network is secure and prevents unwanted breaches.
Payment Security Begins and Ends with You
Since you are not a merchant service provider or a payment processor, you might not think that PCI DSS (PCI Data Security Standards) apply to you. However, payment security begins and ends with your business. To learn more about standards defined by the PCI DSS organization, visit Why Security Matters.