For as long as you own and operate a business that accepts credit card payments, any credit card information that you store in a readable form is a target for hackers. Any violation of PCI compliance means that your business is automatically liable if hackers steal credit card information from servers owned by either you or the third party service you chose to process credit card transactions. You don’t want this to happen to your business.
While it may be tempting to dump credit cards altogether, you know you’ll just lose business in a business climate where most people don’t use Bitcoin yet. You can be proactive in making sure you don’t become the target of the next class action lawsuit involving a credit card breach by following these steps.
Make sure you are completely PCI Security compliant.
This applies to every step required to process credit card information and transactions, from the credit card scanner to communications with the credit card network. If you are choosing a third party to process transactions for you, don’t be shy about asking the tough questions that ensure that the third party is capable of complying with PCI security regulations.
Make sure you’re only using trustworthy vendors.
This goes for not only the credit card processor, but also the vendor you trust with your cloud storage. When credit card information is stolen in a hack job, none of your customers are going to care that it could have been prevented if third party vendors had just been more careful. You’re the one who is going to get sued if you chose vendors who couldn’t help you with compliance. When in doubt, find a third party Qualified Security Assessor (QSA) who can audit the vendor’s policies, procedures and systems and rate them as a PCI DSS Validated Entity if they pass.
Make sure credit card numbers are truncated.
There have been cases of fraud in which the criminal stole credit card information from a receipt. Even after the FTC created rules that required that no more than the last five digits of the credit card was to be displayed, and expiration dates couldn’t be shown on the receipt, there have been lawsuits against business that weren’t following the FTC’s standards. It might mean no more than having to hand out certificates for a free appetizer [1], but that’s an expense you can avoid by following the FTC’s rules.
Make sure all employees know and follow your security policy.
Many hacks occur because the hacker knew how to use social engineering to get the information needed to get into the network. Make sure your employees are familiar with common social engineering tricks and how to avoid falling for them. A book called Ghost in the Wires by security consultant and former “Darkside” hacker Kevin Mitnick should be required reading for anyone who wants to understand how hackers use social engineering to steal sensitive information from businesses.
Make the IT security professional your friend.
One of the biggest frustrations for an IT security professional is having a boss who won’t listen to him, and then he gets blamed if something goes wrong. If you haven’t already, you should work with your IT specialist to create a policy that limits access to credit card information stored on your server and make sure that server isn’t visible to the outside world. The number one rule of IT security is that if hackers can’t see that it even exists on your private network, they can’t get into it.
Make sure you aren’t storing any more information than you have to.
Right now, you may be asking yourself why you need to store credit card information at all and that is a valid point. However, you can limit your exposure by making sure that you limit the amount of information that you’re storing. One thing you should dump right now if you haven’t already is the storage of PIN numbers for credit cards. The track data should also never be stored. This can be as easy as eliminating fields in your database, but it’ll make your customers feel better if they know that criminals can’t authorize transactions by using stolen PIN numbers even if they do manage to steal credit card information from your servers.
Make sure you use encryption and security standards like SSL everywhere you can.
Seeing the HTTPS: precursor in front of your website URL assures your customers that their credit card information is protected. Make sure you keep the security certificate current so that your website stays secure and you don’t lose sales because the customer is getting warnings that the security certificate expired.
You should also encrypt files such as phone recordings in which a customer gave your representative his or her credit card information. It’s okay to make these recordings for service quality purposes, but you still don’t want the hassle that comes with losing it to a hacker. Store the recordings in a password-protected database and make sure there’s no attached software such as a text-to-speech converter that might store a text version of the phone recording.
Make sure you aren’t ignoring payment options that limit your risk.
These are people who might have been spooked by national news coverage of credit card information being stolen by hackers. They might have even gone through the nightmare of cleaning up the financial mess caused by identity theft and don’t want to go through that again. These payment options might include relatively new fintech releases like Apple Pay or Bitcoin, which limit the amount of sensitive personal and financial information that is visible to your system. Both are still very much “niche” fintech options that might not add much to the sales you get, but accepting them can reassure tech-savvy customers that you care about limiting their risk of becoming victims of fraud.
Make sure you remember that hackers are increasingly targeting small businesses.
Hackers know that many small businesses ignore security because their owners think they can’t afford the investment until they grow a little bigger. That makes the credit card servers owned by small businesses an attractive target. That means making sure you lock down everything that might turn into a security hole that hackers can exploit – servers, third party cloud storage, passwords, everything. If you think you can’t afford it, always remember that it’s cheaper to do it now than it is to wait and wind up cleaning up a major mess when the hackers target your business. If you REALLY can’t afford it, you should consider waiting to accept credit cards until you can.
Always remember that every customer who pays with a credit card trusts you to secure his or her personal and financial credit card information. That’s why PCI security regulations exist even though it means extra cost for your business. It’s cheaper to make sure you lock down as many variables as possible to make sure that you and your customers are not hurt very badly by a security breach than it is to be the defendant in a lawsuit.
[1] http://www.seattletimes.com/business/olive-garden-settles-credit-card-suit-with-9-appetizer-voucher/