Allowing customers to pay using a credit or debit card can help you capture more revenue, but handling sensitive payment data requires that your business knows how to protect customer information — and its internal data — from the risk of a security breach.
Here are some simple payment security tips all businesses should know:
Use EMV chip card terminals.
Though CNBC reports that about 70 percent of consumers now carry a credit or debit card that includes both a magnetic strip on the back and an EMV chip on the front, fewer than 40 percent of merchants are equipped with the EMV payment terminals required to process payment using the card’s EMV chip.
However, the experts at EMV Connection explain that an EMV chip card isn’t just an alternative to a magnetic strip; it acts as a microprocessor that improves payment security. That’s partially because EMV payment processing uses a security measure called tokenization: it replaces sensitive payment information with meaningless numbers (the token) during payment processing. If data thieves intercept a transaction that uses tokenization, the information they obtain from it is meaningless.
If you don’t have EMV terminals at your point of sale, upgrade your equipment for greater payment security. Explain the basic concepts of tokenization so customers who may be hesitant to use the technology can better understand the security benefits.
Create mandatory security codes of conduct.
You have “ground rules” about how employees are to conduct themselves as representatives of your company. A security code of conduct follows the same logic, and mandates how employees are to use and handle technology and customer data. In your mandatory security code of conduct, address the following aspects of payment security:
- Customer payment information is never to be hand written (even if payment processing terminals are temporarily down), exchanged via unsecure email, or kept on file (even if it’s at the customer’s request).
- If you use mobile payments in your business, staff should agree that payment data is processed from a secure connection only (not public Wi-Fi). If they use a mobile payment provider’s secure app to process customer payment, they must download the app from the processor’s website (not an app store), and update it as needed.
- Employees should not connect to internal business servers (including office email) unless they are on a secured, password-protected online connection.
- Mobile devices used to conduct business (whether owned by the employee, or issued by your business) should use the most current version of the device’s appropriate operating system.
Your business is not too small to be victim to a payment security breach. In fact, it could be specifically targeted because of the perception that you won’t have tight security protocols in place. The Payment Card Industry Security Standards Council recommends specific measures that businesses should follow to be PCI compliant (which varies based on the types of payment you accept, and volume of transactions processed). In addition to choosing PCI-compliant payment processors, security protocols should be designed into your daily IT practices. Conduct regular audits of point-of-sale equipment, internal systems, networks and firewalls, to identify suspicious activity quickly, and to address system or hardware vulnerabilities that may be dedicated.
Manage the level of access you provide.
Much of the focus in payment security is on breaches initiated by cyber criminals, but the people you allow into your business day in and day out could pose as much of a threat. If you allow third-party vendors to access data in your internal systems, manage how credentials are issued and maintained. Conduct background checks before trusting that vendors are who they claim to be, and provide the minimal level of access needed to do their jobs. When employees end their working relationship with your company, rescind whatever access they’ve been given to sensitive data, and re-assign authorization credentials as needed.
Payment security is critical to managing your business’s exposure to risk. Though the idea of payment security can sound overwhelming, it starts with a basic understanding of the risks your business and customers face in the handling of payment data, and how to best protect your business against them.