Your understanding of Payment Card Industry Data Security Standards (PCI DSS) is vital to managing the risk your business exposes itself to with every customer transaction that involves sensitive customer and financial data. Here are a few manual and systemic processes all businesses that accept credit cards should implement per the latest set of PCI Data Security Standards issued by the PCI Security Standards Council (PCI SSC) in November 2013, to ensure compliance in handling sensitive customer data and to mitigate the potential that a costly data breach will occur.
Assess your risk. PCI security standards are designed to protect both businesses and consumers in the exchange of sensitive information. If your credit card transaction volume isn’t significant, you can mitigate some degree of risk by using a third-party hosted payment gateway to facilitate transaction processing and data exchange, but ultimately, it’s your business’s responsibility to ensure the payment provider is PCI compliant. (If your business is not compliant and a breach does occur, your business could be prosecuted and/or subject to lawsuits, in addition to costly fines, and a loss of customer trust.)
Ensure that the terminal devices and payment processors, and processes you rely on to conduct business are verified as compliant by the PCI SSC, and remain vigilant about your systems. PCI standards also require that businesses continuously “stress test” systems to spot potential vulnerabilities in firewalls and antivirus products, maintain records of such audits, and report findings to the acquiring bank and global payment brands with which a business transacts. Additionally, consider the risk a particular business model inherently presents: The PCI SSC notes that businesses with high transaction frequency, that exchange PIN-based data, and those with stand-alone payment terminals and/or ATMs are at greater risk of data security threats. It also cautions businesses who outsource IT operations to be especially vigilant, estimating that 63 percent of businesses who have been involved in a security theft were relying on a third party vendor to provide such protection at the time of the incident.
Instill manual checking processes. Though ensuring that security software and Wi-Fi connections used to transmit sensitive customer data are secure and compliant is a critical step in protecting sensitive data, revised PCI security standards acknowledge that many data breaches begin with a fraudulent intercept brought on premise by a “live” criminal, including those posing as service technicians, customers or employees. To mitigate the risk of such data theft, the PCI SSC recommends businesses implement daily processes (and potentially, more frequent monitoring schedules, such as during shift changes, depending on the amount of sensitive information that a business handles).
Manual security processes should include checking that serial number stickers on the back of “card swipe” terminals haven’t been replaced or tampered with, including cross-checking numbers on the stickers with the serial number indicated electronically from the device. Document the condition and placement of all payment terminals in your business with photos, including where stickers are placed by the manufacturer (often affixed over screw holes that open a device); check them as part of the daily procedure to ensure placements remain as shown in the photo. Photo documentation of cords that attach to payment terminals can also help to identify if cords were swapped with fraudulent wires. If your business includes ATMs or terminals on-site that involve customer PIN information, check the areas surrounding the units as part of your daily practice (including ceiling tiles) to locate recording devices that thieves install to skim card numbers and PIN data.
Educate your staff on mobile payment security. As mobile devices and mobile payments gain in popularity, the methods by which data thieves can capture information have evolved. Though the latest PCI standards mandate that mobile payment processors and vendors who offer remote support follow upgraded authentication procedures to encrypt sensitive data, implementing internal controls from the front lines of your business is equally important. Educate teams on the importance of locking payment terminals if they must leave the customer at the POS for a price check or similar need, and to be mindful of the actions of customers waiting in line to check out. For example, a data thief standing behind a person in a checkout line can casually tap into the data being transmitted by an NFC card reader at the point of sale, by simply placing a smartphone near the card reader.
Obtain and dispose of devices properly. When your business obtains new or upgraded terminal equipment, ensure that it originates from a licensed and verifiable payment issuer, and dispose of old terminals properly: Remove old data and identifiable labels and stickers associated with your business, and return the device to an authorized dealer who securely disposes of e-waste.
By Kristen Gramigna is Chief Marketing Officer for BluePay, a credit card processing firm, and also serves on its Board of Directors. The company is an all-in-one credit card processing company dedicated to security and fraud protection.