3 Ways to Improve Your Data Security
If you accept credit and debit cards, your business is responsible for ensuring that its data security efforts reflect current best practices. This is necessary for your own risk management as well as for the protection of your customers. Here are three methods to improve your data security:
1. Confirm your payment processors are secure. Confirm that all payment processors involved in your business guarantee PCI compliance throughout data transmission, approval and post-transaction data storage. Though established in 2006 by the Payment Card Industry, PCI compliance involves a set of security standards that change frequently based on the vulnerabilities detected in new payment technologies and the tactics of cyber thieves who attempt to exploit them. While failing to comply with PCI security standards isn’t technically illegal, the standards exist as a best practice that’s intended to protect all involved in a payment transaction.
2. Establish security protocols for your business. Despite the sophisticated techniques many data thieves use, countless payment security breaches originate with criminal tampering of point-of-sale (POS) equipment, theft of data on the magnetic strips of payment cards and, in some cases, human error. In addition to conducting background checks for all of your vendors and employees who are authorized to access sensitive information, ensure that your retail environment has consistent processes in place to detect any potential security vulnerabilities and stop the progress of suspicious activity if found. At minimum, the PCI Security Council recommends that all businesses conduct a security audit of POS terminals, computer hardware and software, and any mobile devices used in payment processing at least once a quarter.
Your security processes should also hold staff accountable for how they handle sensitive payment data. For example, PCI compliance states that a merchant is never to retain a customer’s credit card number, even when payment processing systems become temporarily inactive or a customer wants to provide a credit card number over the phone or email to make a purchase off site. If you allow employees to use their personal mobile devices to check corporate email or process mobile payments for customers, specify the security standards they must maintain. For example, their mobile device’s operating system should be current with the latest version and payment data should be transmitted for processing only with a password-protected online connection.
3. Be proactive in your transition to EMV technology. Most American cardholders received reissued versions of their credit and debit cards last summer. The new cards include a square chip on the front of the card, in addition to a magnetic strip on the back. The decision to transition to this EMV (Europay, MasterCard, Visa) chip-card technology was intended to improve payment security for customers and merchants. However, data reported in February 2016 by The Strawhecker Group revealed that just 37 percent of businesses have the POS equipment required to accommodate EMV chip cards.
Though the cost of an affixed POS EMV terminal (it can be several hundred dollars) may be one reason merchants haven’t made the shift toward adopting EMV chip cards, there are cost-effective options. For example, retailers can accommodate EMV chip technology with mobile payment devices that accept chip cards for a fraction of the cost.
Aside from the cost of transition to EMV terminals, failure to accommodate EMV chip cards exposes both consumers and merchants to a far more significant risk. EMV technology offers enhanced security using a process called tokenization. When a cardholder inserts his or her EMV chip card into the POS terminal, sensitive data (e.g., the customer’s 16-digit personal account number) is replaced with a random set of numbers — called a token. This token conceals any personal information that a data thief could potentially intercept and use for fraudulent activity in the event of a breach. Any retail business (except for pay-at-the-pump fuel stations and ATM operators) that isn't EMV compliant could be liable for damages associated with a breach.
Data security requires you to be proactive about the processes and systems you have in place for the protection of your customers and your business. Adopt these simple payment security standards and you’ll instantly reduce your exposure to risk.
Kristen Gramigna is chief marketing officer for BluePay, a credit card processing firm. Follow her on Twitter at @BluePay_CMO.
