In a recent report, the Payment Card Industry Security Standards Council declared that the smallest businesses – what payment types call ‘Level 4 Merchants ’ – are bearing the brunt of data hacking and card fraud. This makes sense; without sophisticated (that is, expensive) IT in place, small businesses make for relatively easy pick’uns. However, putting security measures in place need not be too cumbersome for the small business. Here are some measures you can take to keep you and your customers protected:
Lock Your Data Down
If you’re capturing credit card data in any way that does not involve digital encryption, STOP! Experience has demonstrated that among the strongest ways to keep hackers out is encryption and tokenization. By converting data into digital tokens, any data a hacker might access would be useless, as the ‘token key’ is required in order to translate the information.
Get the Data Out!
Google “Credit Card Data Breach.” You won’t like the results. You’ll see that hackers can gain access to almost any stand-alone system. The trick is to move any sensitive customer (or business) data to a secure cloud-based vault administered by qualified security professionals. That data should never be present in the merchant environment (such as a network or hard drive).
Raise the term, “PCI” (Payment Card Industry), and watch a merchant’s hackles rise. There’s a (probably unfair) perception that the PCI-SSC (Payment Card Industry Security Standards Council) is constantly burdening businesses with requirements to accept card-based payments. However, the reason the PCI does this is because IT WORKS! The measures have reduced credit card fraud and helped combat very smart data thieves. If you can accept that PCI is simply part of doing business in the 21st century, you’ll sleep better at night.
EMV chip cards, in place internationally for some time, are slowly entering the U.S. market. Within a couple years, we can expect chip cards to be universal. At the point-of-purchase, EMV does eliminate card fraud – the chips are nearly impossible to duplicate and the processing is dynamic (data never moves the same way twice). What’s more, the industry has implemented a ‘liability shift.’ This means that, within the payments chain, whoever didn’t implement EMV will be liable for a data breach (no longer the credit card companies). In short, you don’t have to accept EMV but if you get breached (and you could have prevented it), you’re on the hook for a very expensive problem affecting numerous parties.
Next up: QIR
PCI has a new one coming and it’s a common sense solution. With the clear shift in criminal hacking to small business, the PCI-SSC is requiring that payment systems be implemented by Qualified Integrators and Resellers – a new certification. For another layer of security, look for payment partners who have QIRs on staff.