Technology Tips to Keep Your Customers’ Payment Information Secure and Your Business Safe
Running a business is often a matter of trust: When customers make a purchase, can they count on you to keep their credit card information safe? Protecting customers’ payment data from point of sale to the bank (and beyond) should be one of your highest priorities as a small business owner. The good news is that this is easier to accomplish than you might expect.
Here are some of the ways small business owners can safeguard their customers, their credit card security, and their business.
Avoid Storing Customer Payment Card Data
When you hold on to cardholder data, whether from an individual or another business, you run the risk of that information being seen by people who shouldn’t have access to it. That’s one reason why it’s preferable to securely dispose of any payment information immediately following a transaction. It’s also essential to establish a policy for what constitutes a legitimate business need and when storing information is necessary.
You can safeguard sensitive information by:
- Using a private network or cloud-based storage
- Encrypting the data so it’s unreadable to a system intruder
- Traditional storage, such as external hard drives or other portable media
- Employing backup software and regularly backing up the data
Additional preventive measures you may consider:
- Ensuring Payment Card Industry (PCI) Security compliance of payment card devices
- Taking advantage of new security technology, such as advanced cryptography
- Checking the compliance status of your current payment processing provider
- Educating staff on all preventive measures and security standards
Truncate Credit/Debit Card Information
Years ago, credit card information on a sales receipt typically included the full credit card number alongside the expiration date, providing identity thieves and fraudsters with immediate access to customer finances. Then, in 2003, the Federal Trade Commission (FTC), the nation's consumer protection agency, began requiring all businesses to truncate, or shorten, the account information indicated on all electronically printed sales receipts (no more than the last five digits of the card number can be included on a receipt, and the expiration date must be deleted). By truncating such information, the customer is protected from credit/debit card crime and your business can avoid lawsuits and FTC law enforcement action.
Set Up an Employee Policy for Handling Card Data
One easy way to reduce the risk of fraud for your business and enhance credit card security is through employee management. Consider creating and implementing an employee policy on proper handling of customer credit card data by using unique employee PIN codes. These PIN codes can then be used to track sales and refunds made by employees. And, of course, be sure to educate your employees on the safe handling of transactions and potential fraud risks.
Comply with Industry Standards
The PCI Security Standards Council offers compliance information and assessments for merchants and service providers worldwide. To ensure your customers' payment card data is kept safe and secure, compliance through annual completion of the assessment is recommended or may even be required by your acquirer (for example, your bank) or payment processing brand for all merchants who accept credit cards, online or offline.
- Your acquirer or payment brand will advise on required PCI Data Security Standard (PCI DSS) validations
- The size of your business will determine your specific compliance requirements
- Enforcement of merchant compliance is managed by the individual payment brands and not by PCI. The same is true for non-compliance penalties
If the PCI DSS Security Assessment Procedures require your business to undergo an on-site data security assessment, know that this validation tool was created with you in mind. The PCI Data Security Standard Self-Assessment Questionnaire (PCI DSS SAQ) can help you reach PCI DSS compliance.
Opt for EMV Instead of Magstripe Cards
While magnet stripe cards, or magstripe cards, have dominated the market for close to 50 years, a present industry mandate is enforcing a global standard for all banks and financial institutions to integrate the Europay, MasterCard and Visa (EMV) standard for all consumers by end of 2015.
The magstripe, presently used on most credit cards to store data by modifying the magnetism of tiny iron-based particles on a band of magnetic material on the card. A compatible device reads the card’s information for payment or customer identification when it’s swiped. Magstripe can be a convenient method of payment — unless the user is an identity thief who skims cardholder information when in possession of a magstripe card during a transaction.
Initiated in 2002, EMV makes it harder for thieves to capture cardholder information. Magstripe-free credit and debit cards equipped with this smartcard technology are known as integrated circuit cards (IC cards or “chip cards”). They contain an embedded microchip and are authenticated automatically using a personal identification number, which the customer enters during a transaction. Using EMV or IC cards may add some extra steps to the payment process, but it’s significantly more secure than magstripe.
As of October 2015, fraudulent transaction liability will be absorbed by merchants who do not process at least 75 percent of their transactions through EMV-enabled terminals. Countries like the United Kingdom, Australia, Brazil, Mexico and Canada, have already begun facilitating EMV card use for travelers.
A Matter of Trust
While the payment processing landscape will continue to become more secure in order to further protect customers, small businesses can take steps now to ensure they’re keeping customers’ information safe. Remember: It all comes down to trust. If customers trust you with their information, they’ll be more likely to continue doing business with you.