Previously I shared the basics of a credit card breach, the liabilities you may face as a retailer and some precautions you can take to protect your business. Now we will talk more specifically about the three ways payments are accepted, the vulnerabilities of each method and how you can protect your business from these threats.
When retailers swipe a card through their POS equipment, the information from the magnetic strip is sent to a payment processing service. This service identifies the card, verifies sufficient funds are available to cover the transaction and sends an approval code back to the retailer. Every business that accepts card payments uses a payment processing service. Most providers offer some level of security, but it is up to the business owner to do their homework and ensure their payment service provider has met the minimum standards of the PCI requirements. If yours doesn’t, change service providers.
Business owners should also know if, how and where financial data is stored. The payment service provider can outline the entire process. You should look into this regularly, at least on an annual basis to make sure your service provider is up-to-date on all PCI requirements, software and security methods.
New regulations are requiring POS equipment to be updated for accepting more sophisticated “chip and PIN” credit/debit cards. These cards have an actual microchip in them to help protect the consumer from theft and fraud. Chip and PIN cards have been in use for over a decade outside the US. All POS equipment will be required to accept these cards by October 2015. Businesses do not have to wait and can upgrade their POS equipment at any time, which could enhance the security of the system.
Note: Most of the recent breaches (90 percent) involved older, Windows-based POS software. The software has little room for malware and virus detection, which leads to compromised data. If your system uses Windows-based POS software, contact your payment processing service immediately to see about updates, patches and additional security measures.
Payments via Phone or Mail
Taking payments through the mail or over the phone adds another level of risk to the process. Most often businesses accepting payments through the mail have humans re-entering credit/debit card data into a payment system for approval. This introduces the threat of employees making copies of financial information for their own use or sale to others. It also requires another element of security for the paperwork, a bill or statement, which has the credit/debit card information recorded on it. These documents could also be scanned, creating another set of data that needs to be secured or shredded. This entire process needs to be reviewed and verified no less than annually. Employees working directly or indirectly with this data should have their background checked and audited on a regular basis.
Taking payment over the phone has complications too. When a customer calls to provide credit/debit card information to pay a bill or make a purchase, their information is at risk again. Often call centers and payment service providers record calls, “for training and quality assurance.” That means the recordings must also be kept secure. There are several techniques and products on the market to mask financial information given over the phone, whether it is spoken by the customer or input via the phone’s keypad. The same precautions should be taken for employees that handle financial information over the phone as those that handle it through the mail.
Payments made Online
If your business has a website that allows customers to shop or make a payment online, other protections must be in place. With purchases made online, the retailer is 100 percent liable for fraudulent purchases… not the bank that approved the transaction or the payment processing service that reviewed the transaction. That means if your company accepts a bad or stolen credit/debit card, the total liability of the loss is yours. You lose the revenue from the sale or payment, any shipping expense you may have incurred, receive fines (similar to a bounced check charge called a “charge back”) and, if you get too many of them, you can lose the ability to take credit/debit cards online. That essentially closes your online store.
Most payment processing services have some level of fraud detection tools either free or as an additional service, but they are rarely adequate for today’s cyber criminal. Any company doing business online should have a complete strategy in place for detecting and preventing fraudulent transactions. Several service providers (including the company I work for, Kount) offer good products that do just that. Look into them and protect yourself.
Previously I talked about how the Target data breach impacted me. Months later, data that was stolen in the Target and Niemen Marcus breaches continue to show up in the ecommerce ecosystem and will continue to be used to attempt to steal everything from tires to watches sold online.
Additionally, as the aforementioned POS equipment rolls out between now and October 2015, it will be more and more difficult for criminals to counterfeit stolen credit/debit cards and use them at stores or ATMs. As “chip and PIN” cards have been mandated in other countries, we have seen crime migrate from the POS terminal to online stores rapidly. Evidence of this migration is already beginning in the US and I expect it to continue for the next several years as fraudsters focus on targets that are easier to breach.
When you understand the elements of fraud and make it more challenging for those who commit these crimes, a few precautions can go a long way in protecting your business and your customers.
For additional information about PCI and payment security compliance, we recommend the following links:
Don Bush is vice president of marketing at Kount, Inc. This is the second of a two-part guest column aimed at helping businesses understand how to shore up their security when accepting credit/debit card payments.