As more customers pay with credit cards, debit cards and mobile devices, it's more important than ever to keep data safe. Not only do robust payment security procedures build trust with customers, you'll also help protect yourself against threats and to avoid potential fines from credit card networks and federal regulatory agencies.
Here are a few best practices to follow to help protect sensitive card information.
1. Follow PCI DSS.
The Payment Card Industry Security Standards Council created the Payment Card Industry Data Security Standards (PCI DSS) to establish basic credit card processing security standards. Following PCI DSS guidance will help you avoid breaches, as well as fines imposed by credit card companies for noncompliance.
No matter how small your business, you'll need to validate PCI DSS compliance. The first step is to complete a PCI DSS self-assessment questionnaire.
2. Enlist a PCI DSS validation services provider.
To validate PCI DSS compliance and start the questionnaire, it's best to work with a certified validation services provider. Companies like PNC Merchant Services®* provide validation services to merchant clients. For example, Sysnet is one of a few companies that provides PCI compliance services for small and midsized businesses.
3. Employ a security solution.
Data breaches don't just happen to large corporations. A shocking 90 percent of breaches impact small business. Symantec's 2016 Internet Security Threat Report shows that 43 percent of small businesses were subject to phishing campaigns, and one in 40 small businesses are at risk of cyber crime[1].
To help protect your business and your customers from phishers, use a merchant solution that encrypts cardholder data, including PINs. Encryption should help protect data in use and at rest. Other features to consider include network vulnerability scans and methods to protect your system against viruses.
When receiving payments from clients, use a tool such as a Universal Payment Identification Code (UPIC). UPIC masks your checking account number so you can accept ACH credits without providing your PNC account number to the payor.
4. Upgrade to EMV.
If you haven't upgraded to EMV (chip card)-enabled terminals, you're behind the curve. Financial liability for card-present counterfeit card losses started to shift from issuing banks to businesses in October 2015.
In addition to reducing credit card fraud, EMV-capable terminals can accommodate upgrades such as contactless transactions, where users tap or wave the card instead of inserting it.
5. Keep only what's needed.
Under PCI DSS, you should only store customers' account numbers, expiration dates, and cardholder names. There's no need to store full-track magnetic stripe data, CVV2 codes, and other information for authorized transactions.
6. Control access.
Make sure any remote employees or contractors with access to your computers (such as IT support) protect customer data as well as you do. Restrict contractors' access to data and the times they have remote access. For remote employees, consider a virtual private network (VPN) for data access, and use multifactor identification for added security.
7. Secure printed data.
Thieves can access and use physical data — receipts, orders, invoices, and accounting records — just as easily as electronic data. Securely store any documents that contain customer financial and credit card information in a locked desk, file cabinet, or closet.
Limit printed data access only to individuals that need the information to process credit card transactions or respond to specific inquiries. When you no longer need these records, destroy them in a secure manner, such as shredding.
Accounting software and tools such as PNC Bank's Cash Flow InsightSM** with Payables/Receivables let you upload bills and other documents so they're stored within the tool and not your filing cabinet. The tool also syncs with accounting software such as QuickBooks, Xero and NetSuite, among others.
8. Another thing about those receipts.
Under the Fair and Accurate Credit Transaction Act (FACTA), all credit and debit card receipts must shorten account information to include no more than the last five digits of the card number, and no expiration date[2]. Full credit card numbers on sales receipts mean easy money for identity thieves.
