Data security has become one of the hottest issues in the payment industry, with major security breaches at some of the nation’s biggest retailers consistently making news headlines.
It started with the Target data breach during the holiday shopping season last year, which jeopardized the security of payment data on 40 million Target customers’ credit and debit cards.
Since then, major corporations including Best Buy®, Neiman Marcus, SONY® and Zappos.com® have all been the victims of data breaches. Most recently, Home Depot® announced that a data security breach has placed as many as 56 million customers’ credit and debit cards at risk, which makes this one of the biggest data security breaches yet.
The Cost of Security Breaches
The average data security breach costs companies $5.9 million, up from $5.4 million a year earlier, according to the Ponemon Institute’s 2014 Cost of Data Breach Study. Meanwhile, the cost per breached record is $201, up from $188 a year earlier.
Some industry experts say that the holiday shopping season tends to be an especially vulnerable time for merchants when it comes to data security. When stores get busy and their lines long, merchants sometimes lower their guard against fraud by relaxing some of the normal payment security procedures. This makes now the best time to start focusing on data security in preparation for the upcoming holiday shopping season.
Upgrade Your Point-of-Sale Terminal to Increase Data Security
One of the best things you can do to increase data security at the point-of-sale (POS) is to upgrade to a new dual-interface, EMV®-capable POS terminal. The U.S. payment system is moving away from magnetic stripe cards to a more secure type of card technology commonly referred to as EMV, or “chip and PIN.” This technology substitutes the magnetic stripe on the back of a credit or debit card with a computer chip that stores the cardholder’s payment information.
The EMV processing environment is much more secure than the magnetic stripe card environment because chip and PIN cards are nearly impossible for data thieves to duplicate. Even if hackers are able to steal cardholders’ payment information, this information is of no use to them because they can’t create a new card with a microchip, like they can create new magnetic stripe cards.
Upgrading to a new dual-interface terminal will also enable you to take advantage of the enhanced security capabilities of tokenization and near-field communications, or NFC. Tokens are comprised of upper- and lower-case letters, numbers and special characters that have no relationship to customers’ actual payment information. They are undecipherable, so tokens have no value to hackers if they are stolen.
NFC technology, meanwhile, permits contactless transactions in which customers make payments by simply waving their card or smartphone near the terminal, instead of inserting their card into a card reader. Contactless NFC terminals are generally more reliable than mag stripe readers and require less ongoing maintenance.
More Data Security Tips
Below are several other suggestions for increasing cardholder data security:
1. Don’t store unneeded cardholder data. The Payment Card Industry Data Security Standard (PCI DSS) allows only the account number, expiration date and cardholder name to be stored by merchants.
2. Secure printed data. In addition to electronic data, physical data also needs to be kept secure. This includes paper receipts, orders, invoices and anything else that contains sensitive cardholder payment data. These should be stored under lock and key and shredded once they’re no longer needed.
3. Keep your network secure. Your Internet connection should be protected by a properly configured firewall, and you should use and regularly update the latest anti-virus software on any computers that handle and store cardholder data.
4. Protect your business from card scams. Current scams involve a customer who provides a stolen and/or canceled payment card to the merchant. After the merchant attempts to swipe the card(s) through the terminal, the customer will advise the merchant that a "code" or "PIN" is needed to process the transaction, and will ask that the merchant enter that number into the point of sale terminal, which takes the terminal into an "offline" processing mode. In order to process a payment card sale for a customer you should NEVER need to ask your customer for a password or PIN number, and should NEVER enter a password or PIN for your customer through your terminal. If you suspect a customer fraud scam or have questions on suspicious activity, please call our Client Services Support Team at 1-800-742-5030 and request to be transferred to Security.
Please call PNC Merchant Services® customer service at 800-742-5030 if you have any more questions about payment data security.
EMV is a registered trademark in the U.S. and other countries, and is an unregistered trademark in other countries, owned by EMVCo.
All other trademarks, service marks and trade names referenced in this material are the property of their respective owners.
This Merchant Business Insights e-Newsletter is designed to provide useful and practical information for merchants accepting card transactions. It is not intended to be legal, tax, accounting or financial advice, nor should it be substituted for a full and regular review of the Association Rules and any changes thereto. Internet sites provided in this e-Newsletter are provided as a convenience to our readers. While PNC Merchant Services endeavors to provide resources that are reputable and safe, we are not responsible for the information, products, or services obtained on such sites.
Merchant Services provided by PNC Merchant Services Company and are subject to credit approval. PNC Merchant Services is a registered trademark of The PNC Financial Services Group, Inc.