In this day and age, accepting credit cards is a necessity for your business. But accepting credit cards means accepting the unique challenges and risks that accompany them.
Technological innovations like EMV chip cards and CAPTCHA continue to make payments more secure, but fraud and data security are issues that will plague businesses large and small for years to come. When there’s a new data breach headlining the news every few months, what’s a business owner to do?
Unfortunately, it’s impossible to prevent 100% of security risks, but there are steps you can take to mitigate those risks. Keep reading for our top 5 security risks in credit card payments (and how to protect your business from them):
1. Employee Error
You know how important it is to invest in a secure network. All of your users have personalized passwords that they update on a regular basis. You’ve set up a separate Wi-Fi network for guests. You even have a top of the line firewall. But not all security risks come from outside the walls of your business.
One often overlooked fact is that the majority of data breaches stem from internal employee error. According to this study conducted by the Ponemon Institute, 54% of data breaches are caused by employee negligence. One example is the now infamous Equifax breach of 2017, in which the personal information of almost 146 million Americans was exposed. The cause? A single employee in the company’s technology department didn’t install a recommended software update.
The solution: Arm your employees with the knowledge and training they need to securely handle customer and company information.
Make sure to address cyber awareness in your company policies and training program. This should cover everything from recognizing suspicious emails to securing company-issued laptops and cellphones. If you’re not sure where to start, check out our Guide to Online Threats, Controls and Best Practices.
2. Improperly Stored Credit Card Information
Storing full credit card information can make you a target for hackers or even exploitation by your own employees. Even worse, if your business experiences a data breach because of improperly stored card information, you’re subject to remediation, fines, and—potentially—the inability to accept credit cards.
If your business schedules recurring payments or has repeat customers that want to keep a card on file, that information needs to be stored securely. But how?
The solution: Store information in compliance with PCI DSS.
PCI DSS stands for Payment Card Industry Data Security Standards. These standards were created by the card associations to foster safe processing environments. All merchants that process credit cards, even just one or two a year, are required to meet the standards.
The requirements to safely store full card information are almost impossible for a small business to meet, but there’s a way to enjoy the benefits of storing cards with none of the risk. In this scenario, card information would be encrypted and stored with a PCI compliant third-party.
If a cardholder’s information is on file with a business, they typically won’t have access to the full card number. That’s because the information is encrypted and stored by a secure third-party. When an employee is looking at that cardholder’s file, they should only see the last 4 digits of the card number. This protects against hackers, but also disgruntled employees that might write down a card number when they’re let go.
3. Credit Card Fraud
A 2017 report from the US Payments Forum found that, due to the increased security of EMV chip cards, fraudsters had begun to shift their focus to card not present (CNP) transactions. This is a particularly perplexing issue, as it’s difficult to verify the legitimacy of a transaction without access to the physical card. Fraudsters will often use bots to consecutively attempt hundreds of card numbers until one goes through.
There’s also the problem of chargeback fraud, sometimes known as friendly fraud. This is when a purchase is made, goods or services are delivered, and then the charge is disputed with the cardholder’s issuing bank. Often, this is just because of confusion on the cardholder’s end, but it can sometimes be intentional and malicious.
The solution: Be vigilant and trust your instincts.
When it comes to online credit card fraud, it’s best to err on the side of caution. Your processor should have a tool to prevent the mass entry of card numbers by robots (Those “enter the displayed characters” and “click each box with a vehicle in it” prompts you often see on websites? This is what they’re for). You can also use Address Verification Service (AVS) to verify that the billing address matches what the card issuer has on file. As a last resort, you can always call the customer-provided phone number to verify details.
4. Outdated System Software
We mentioned earlier that Equifax’s notorious data breach was caused by outdated system software, and that wasn’t an isolated incident. A 2017 survey of 35,000 companies discovered that almost 25% of them were using outdated browsers. Those companies were twice as likely to experience a data breach.
The solution: Install updates as they become available.
It’s frustrating to log in to your computer every morning to see there’s yet another update to install. Thankfully, technology can make this process a little easier. Your operating system and browser will typically notify you when an update is available. There are even programs available to monitor your system for available updates.
Above all, remember that the main reason these updates are rolled out is to address security threats and help you protect yourself and your business.
5. POS Skimming
“Skimming” is a term used to describe a process in which card information is compromised at the point of sale (POS). Most commonly, skimming occurs when an employee runs a credit card through an out-of-site skimmer that copies the card information. Then, they can use that card information to make online purchases.
POS tampering is a form of skimming where a fraudster will install a skimmer on your existing terminal. It can happen quickly.
The most nefarious type of skimming involves criminals posing as representatives of your bank or processing company. These “representatives” will then replace your processing equipment with a clone that will transmit card information directly to them or store it until they return for the device.
The solution: Monitor your POS device for signs of skimming. Better yet, don’t give fraudsters a window to tamper with your device or copy card information.
The most effective way to prevent employees from skimming card information is to make sure the card never leaves the customer’s sight. In some businesses, like restaurants, this can be difficult. One solution is utilizing a mobile card reader, like the Clover Go, that allows servers to collect payment right at the table. Another option is to keep your device within view of customers.
To prevent tampering or swapping, never leave your processing device unattended during business hours. Regularly inspect your device for odd changes. A stray cable, loose screw, or new terminal sticker can all be signs of tampering. Be wary of anyone claiming to be a representative of your bank or processor, and always call to verify their identity.
No payment method will ever be completely devoid of risk. In 20 years, we’ll most likely be facing a very different processing landscape than we are now, with very different risks. Keep checking in with us to learn how to keep your business safe as threats continue to evolve. Just know that as long as you follow these best practices, the benefits of accepting credit cards will continue to far exceed the risks.