Let’s be clear, we’ll be talking about information security – we expect you owners of brick-and-mortar companies to have taken the obvious security steps already (video cameras, security guards, trained attack dogs, etc.). In terms of information security, the biggest concerns center around theft of credit/debit cards, identity theft, and other forms of fraud.
The Need for Vigilance
You won’t stay in business very long if you develop a bad reputation, and being vulnerable to information theft is a prime way to ruin your business. Credit card transactions are uniquely risky, because they not only involve the transfer of money, but also have the potential to expose customer data for nefarious uses. Thankfully, new credit card technology is replacing the old magnetic-swipe cards with chip-and-PIN ones. The bad news is that in the U.S, as opposed to Europe, merchants can still choose to verify these cards by checking signatures instead of requiring PINs, a serious security lapse, because all card thieve have to do is forge your signature. With PIN’s, the thief can’t use the card without typing in the PIN at the transaction terminal, and only you should know the PIN.
Hot Tips for Enhancing Security
- For merchants with a physical location, the first tip is obvious: implement full chip-and-PIN technology and say goodbye to verification of credit card signatures. Unfortunately, the PIN affords no extra protection for online transactions, because the chip can’t generate a PIN without a checkout terminal.
- In general, collect and store the minimum amount possible of customer data. Collect only what’s required for the transaction. If possible, use transaction software that references customer data via tokenization without utilizing or transmitting account data.
- Don’t store credit/debit card information on your premises. It should be stored by a third-party payment processor that complies with PCI DSS, a proprietary information security standard.
- Encrypt all data transfers. Use end-to-end encryption (either TLS or SSL, which provide “https” domains). Also, make sure any apps you use stores data in an encrypted format.
- Maintain the latest editions of antivirus and antimalware protection on all of your computers. Update and scan your computers at least once a day to check for new threats.
- Train employees to collect only the minimum information necessary to complete a transaction. Restrict employee access to customer data on a “need-to-know” basis.
- Educate yourself about PCI DSS and PA-DSS to learn how to maintain a secure infrastructure. Copious material on these two protocols is available online from the PCI Security Standards Council.
- Use encrypted cloud storage and a private network equipped with a sturdy firewall, and regularly back up your data to the secure location.
- Periodically verify that your privacy settings are up to date, including transaction limitation, security controls, restrictions and network settings.
- Disconnect from your servers at the end of the day, thereby denying hackers a tempting target.
- Use multiple servers, separating regular data from the sensitive variety. Tack extra precautions for the sensitive server.
- Don’t request credit card or other sensitive information via an email, which is vulnerable to theft.
- If you run a call center, institute the appropriately strict procedures and policies to safeguard customer information. This means, for example, not to enable access to customer contact data once a transaction has concluded.
- Don’t automatically use defaults supplied by a software vendor for system passwords and security parameters.
- Perform a criminal background check on all potential employees. Check also for civil actions against the job candidate.
- Software exists to monitor and log all attempted and successful accesses to sensitive data. Make sure that this software is up, running and functioning properly, and inspect the logs at least daily.