What you don’t know can hurt you when your small business handles sensitive payment data. In fact, being unaware of the risks and responsibilities you inherently assume in payment processing can expose your business to fines, fees, and operational upheaval.
Here are five things most businesses don’t know about payment processing.
Most debit and credit cards that were re-issued in the United States in 2015 to include EMV chips now include a magnetic strip on the back and an EMV chip on the card’s front. Yet, many businesses don’t know there are significant differences in payment security when a card is swiped versus inserted into the EMV payment terminal.
When a customer uses the EMV chip card feature, the processing environment utilizes a security measure called tokenization. This process replaces the sensitive cardholder data (i.e., the 16-digit personal account number) with a series of randomly assigned numbers used to process the payment. If the transaction is intercepted during processing or later compromised in a breach, data thieves cannot use the token to commit further fraud or identify the account owner.
According to a recent cybersecurity article in Forbes, nearly 20 percent of small businesses have been impacted by a security breach. First Data estimates that most small businesses that are victims of a payment security breach don’t know it occurred until the damage has been done. If a breach does occur, mandatory investigative audits of payment security practices cost the average small business about $36,000, according to First Data.
If you are party to a payment transaction found to have offered the lowest level of security, you could be held responsible for costs associated with the breach, including identity protection services for breach victims, the cost of card re-issuance, fines, and legal fees.
Now that the October 2015 deadline for transitioning point-of-sale equipment to be compliant with EMV card chip technology has come and gone, merchants who don’t accommodate EMV chip cards could be held liable in the event of a payment security breach.
Choosing a payment processor that guarantees PCI-compliant payment processing and accommodating EMV chip card technology at the point of sale are two ways to enhance payment security, but you cannot rely on one method in isolation. Your business needs to conduct its own audits to proactively identify vulnerabilities, and potentially adapt those processes as your business grows.
For example, the PCI compliant security standards set forth by the PCI Security Standards Council outline the specific protocol merchants should follow based on the volume and type of annual transactions. At a minimum, internal audits of firewalls, networks, hardware, and software should take place quarterly, under PCI-compliant processing standards.
Not all breaches occur with a sophisticated hack. In fact, Computerworld reports that the 2013 Target payment security breach originated with valid log-in credentials from the company’s HVAC vendor that were not properly safeguarded.
Your internal procedures make a significant impact on payment security. Passwords should not be posted on computers or at point-of-sale systems, should be changed at least every few weeks, and consist of eight characters including letters (upper and lower case), numbers and symbols.
One employee’s innocent mistake can make or break your payment security and cost your business dearly. Conduct ongoing training sessions to ensure secure payment procedures. For example, customer credit or debit card numbers should never be written down or kept on file.
Mobile payments should be processed only with a secure and password-protected connection, using the mobile payment provider’s secure app or provided dongle. The operating system of any mobile device used to process payments should be updated to reflect the most recent version (which is often patched when security vulnerabilities are detected).
Payment security is an important issue for any merchant that handles sensitive data. The more you understand how to provide a secure environment in your technology and internal processes, the less you risk you face as a business.