This Guest post written by Kristen Gramigna is Chief Marketing Officer for BluePay, a credit card processing firm. She has more than 20 years experience in the bankcard industry in direct sales, sales management and marketing. Follow her on Twitter at @BluePay_CMO.
You do not have to be a major retail brand to fall prey to a security breach. In fact, USA Today reports that while 43 percent of business in the United States said they have experienced a data breach, fewer than 30 percent have a breach response plan. (Worse still, just 30 percent of businesses that did have one felt it was effective).
Further, now that the October 2015 deadline has passed for most merchants to become equipped with the payment processing tools to process EMV chip-enabled credit and debit cards, you may be more responsible for payment security than you realize. It’s not just payment security that business owners need to look out for, but also the safety of their employees within the store. This is why a lot of businesses have now started to get business security camera systems installed. But there are many other things that business can do regarding safety.
Here’s a look at retail security best practices all small business owners should follow:
Partner with PCI-compliant payment vendors. PCI compliance refers to a set of standards that were established in 2006 by the Payment Card Industry (PCI), but the best practices frequently change based on the latest security concerns that hackers and data thieves present. While you aren’t legally required to be PCI compliant, it protects your business and customers. However, because PCI compliance standards do change frequently and outline different protocols to follow based on the number and type of transactions a merchant processes annually, managing PCI compliance as a small business is challenging. You can ease the process and improve your retail businesses data security by simply choosing to work only with payment processors that guarantee PCI compliance throughout the entire transaction process, per the latest standards set by the PCI Security Standards Council. See here for pci scan quotes from Digital Defense, the first vendor to provide a PCI compliance manager service.
Conduct consistent security audits. Cybercriminals capture many of the headlines related to identity theft and security breaches, but many breaches originate for non-technical reasons, including physical manipulation of a point-of-sale device and basic human error. The PCI Security Council recommends that all businesses audit their physical storefronts and office spaces, software, hardware and point-of-sale terminals every 90 days, to identify and resolve potential vulnerabilities and mitigate the impact of any security-related events that occur.
In addition to reviewing firewalls, network security, applications, computers and mobile devices that can introduce malware, ensure that employees who manage your point of sale follow security best practices with every transaction. For example, customer account numbers should never be documented on paper and retained by your business — even if the customer requests you to do so for the sake of convenience or if payment processing systems stop working temporarily. If employees use their personal mobile device to process mobile payments, ensure their device uses the most current version of the operating system; that they access the mobile payment provider’s secure app to process payments; and initiate transactions only when they are connected to a secure and private online network. To have further control over your business and employees’ safety, you can also use a special security app so you can control anything from the thermostat to surveillance footage from anywhere. You can click here to learn more.
Process payments using EMV technology. If you’re among the 37 percent of merchants that The Strawhecker Group recently reported have adapted point-of-sale terminals to accommodate EMV (Europay, MasterCard and Visa) chip cards, you’ve taken great strides to adopt a best practice in payment security. Even though most of the EMV chip cards reissued to Americans during 2015 still have magnetic swipe capabilities, EMV chips use a process called tokenization, which enhances security. Because the process of tokenization assigns a unique identifier (the token) to each payment transaction, sensitive customer and payment-related data that could otherwise by used by identity thieves to create additional transactions and potentially fraudulent accounts is concealed. Plus, under the new payment security standards that apply to most merchants (with the exception of ATM operators and pay-at-the-pump fuel stations) a business that isn’t EMV compliant could be financially and legally liable for damages that result in the event of a breach.
Allowing customers to pay using a credit or debit card has become the norm in retail, but handling sensitive data also demands that your business take the necessary steps to provide a secure environment. By following security measures — like PCI compliance and EMV chip cards — and recognizing why they are so important, you can protect your business from unnecessary risk, and ensure customer transactions are more secure.