Common Mistakes In Payment Security

All businesses that accept payments are responsible for keeping payment data secure at the start of a transaction, during processing and once it ends. Unfortunately, many small businesses don’t realize they’re not following all the protocol for payment security until a serious event happens. Here are the most common mistakes businesses make in payment security, and how to avoid them.

Not proactively protecting passwords.

Your network, hardware, software, point-of-sale terminals and the mobile devices you may rely on to conduct business may be password protected, but as Entrepreneur Magazine recently reported, the majority of people do not follow basic standards to ensure those passwords are indeed secure and difficult to crack.

The passwords “123456”, “password”, and “12345” remain among the most commonly used, according to SplashData. (Passwords involving sports and superheroes are increasingly common, too.) Ensure that any password used in your business follows security protocol: SplashData recommends that all passwords include a minimum eight characters — made up of a combination of letters (upper and lower cases), numbers and symbols. Every point of entry to your business operations that requires a log-in should have a unique password, and be changed every few weeks. According to the PCI Security Standards Council, every business needs a formal information security policy outlining and enforcing these protocols, along with “common sense” processes that ensure employees never write down passwords for others to see or send them via unsecure email.

 Not utilizing EMV chip card functionality.

Whether you accept customer payments at an affixed point-of-sale terminal or process payments on a mobile device, not equipping your POS to utilize EMV chip card technology remains a common mistake in payment security. Because the chip on an EMV card acts as a small microprocessor that facilitates transaction processing, it reduces the potential for thieves to tamper with devices to “skim” information from the card and create counterfeit versions. EMV technology also uses end-to-end encryption and tokenization in payment processing that replaces a customer’s identifiable data (like a 16-digit account number) before sensitive data is transmitted with a surrogate number (called a token). If data thieves intercept a transaction, the information they’ll acquire cannot be used to identify the customer or initiate further fraud. Despite that most businesses accepting customer payments are now required to have point-of-sale terminals that accommodate EMV chip card technology or mobile payments that can process EMV chip cards to ensure customer security (and reduce the risk of being held liable for a breach), USA Today reports that fewer than 40 percent of businesses have done so.

Misunderstanding your level of risk.

If you accept payment from customers, the security standards established by the PCI Security Standards Council apply to your business. In addition to choosing only PCI-compliant payment processing partners, it’s important to understand that you are a target for cybercriminals, and you need to take steps to protect the payment data they seek. BusinessNewsDaily reports that while small businesses are often the perfect candidates for cyberthieves — because they are presumed to not have adequate security measures in place — few small business owners are protected. Just 29 percent of small business owners who responded to a  study by Travelers Insurance feel they are prepared for the risks they face regarding technology and data security.

Lacking the internal controls to instill payment security.

Though cybersecurity is a legitimate concern, many payment security breaches originate with basic human error and intervention. According to the PCI Security Standards Council, businesses should conduct internal security audits of firewalls, networks, hardware and software to detect and resolve vulnerabilities. Likewise, confirming payment security at any point-of-sale terminal should become a daily procedure. If a device is tampered with in an attempt to obtain payment data, a consistent audit practice empowers your business to intervene quickly and efficiently.

Payment security impacts your business, and its customers — yet few business owners proactively confirm they’re following the best practices consistently. Instill these basic steps into your business operations so you don’t become the victim of the next payment security breach.