By Collin Sullivan, Avatas National Accounts Manager
Security is one of the topics that most often comes up when onboarding new customers and checking in with existing ones. Particularly PCI Compliance and what it means for their business.
First, as a merchant who accepts credit cards, you are responsible for securing your customer’s data and complying with PCI standards, but don’t panic. While complying with PCI may seem overwhelming, it is really just common sense.
First, here are a few of interesting statistics that will get you to start thinking about data security for your business.
- 81% of credit card fraud happens in businesses with less than 50 people. (Hiscox)
- 20% of small businesses are victims of cybercrime each year. (National Cyber Crime Alliance)
- 60% of small businesses who have experienced a data breach are out of business within six months. (National Cyber Security Alliance)
- The average loss for a small business from cyber-crime and fraud, including credit card fraud, is $155,000. (Association of Certified Fraud Examiners)
So, if you are serious about wanting to protect your customers and company data, and you should be, what is the best way to tackle PCI and implement it for your business? First, don’t get caught up in the terminology. Think about it this way: What do you do to get your house ready before you and your family go to bed? If you are like most people, you go through and make sure all access points to your house are secure. More specifically, you lock your front door, back door, side door, and windows. Now apply this same framework to your business.
Website: The Front Door to Your Business
For your business, your website is like the front door to your house. It is the most visible entry and accessible by practically everyone. With websites there are a couple of vulnerabilities to be aware of. The first deals with how information is exchanged over the internet. In most cases, data across the internet is in text form. That means that if your customers transmit information to you via your website, it could be intercepted and read by hackers. The second, is that if your web software isn’t up to date there might be holes that can be exploited. To help mitigate these risks, deploy a Secure Sockets Layer protocol (at AVATAS we require all customers to do this) to safeguard information flowing between your customers and your website, and make sure that you are updating your web software.
Back-End Office Software: The Backdoor To Your Business
The next area to think about is the back-door to your business. For most of our customers, this would be the back-office software used to run your business, and process payments. The danger is that if someone can get in here, they may be able to access customer data. Since most companies purchase this type of software, your goal is to ask potential partners the right questions. The first question: Is your software and its payment modules PCI Level 1 certified? If not, tread carefully. You should also find out more about the company. Do they have a history in the industry and can they provide references? Next learn a little more about how the software actually secures data. Key words that you should look for that suggest your vendor is serious about security: encryption, tokenization, firewall, SSL and hosted payment page. You should also ask them where your data will be stored, including the physical location and whether it will be on a server or in the cloud.
Locking the Side Door: Safely Handing Customer Information
So you are confident that your front door and back door are locked. Now, look at your side door. For businesses, this means making sure that your company safely handles sensitive customer information and keeps it from prying eyes. The best way to do this is to let customers enter their own information using online or other IVR tools that bypass the human element both in and out of your organization. However, if you aren’t ready for that, make sure you have detailed policies in place that govern the storage and destruction of this information. Other things that you should think about include: restricting access to areas where sensitive information is stored, and background checks for employees who handle it.
Lock those windows and go to bed: internal IT policies
The last area to think about is your internal IT tools and policies. For your business, these are the windows you need to lock. Fortunately, it doesn’t take too much to secure these avenues. By using and keeping your virus software updated, you can significantly mitigate the risk posed by viruses, phishing scams, spyware and other malware.
On the internal policy side, make sure every user has their own login information. This not only allows you to segment access to sensitive data, but it can also allow you track what users are doing and cut off access once someone that has left your organization. Along these same lines, put in requirements for password complexity (and require that they be changed periodically.) Finally, make sure that employees do not keep card data on file (i.e., on their desks or computers).
AVATAS Payment Solutions is a leading payment processing company for the energy and service industry. Collin Sullivan is AVATAS’s national accounts manager and can be reached at 866.298.7836 or by email at firstname.lastname@example.org.