When It Comes to Data Security, Take No Chances
The data breach at Home Depot has reignited fears about security. Many businesses are rushing to calm nervous customers while secretly worrying about their own risks. The ins and outs of data security can seem overwhelming, especially if you aren’t an IT geek, but “hoping for the best” is always a lousy course of action. These three strategies address common weak points for many businesses.
1. Follow PCI Requirements.
If you’ve dealt with the payment side of your business, you’ve probably heard the term “PCI compliant.” If something is PCI compliant, it meets a set of benchmarks called the PCI DSS (Payment Card Industry Data Security Standards). The PCI DSS applies to any business that accepts credit cards. The guidelines may deal with data security, but they aren’t overly technical. For instance, one of the points is “limit employee access to cardholder information.” (In other words, lock up any documents that display account numbers.)
Do an internal audit to find out if your business meets these basic standards. Come up with a plan to close any gaps.You can find all 12 requirements at the PCI Security Standards Council website.
2. Don’t Keep Cards on File.
Many dealers keep customer card numbers in their POS software, a spreadsheet, or written notes. Customers appreciate the convenience, but it makes your business an attractive target. The information is vulnerable to anyone who accesses your system (or your file cabinets).
Instead of keeping cards on file, use a method called “tokenization.” With tokenization, your payment processor stores card numbers for you and gives your system a “token” for each one. Think of it as a digital claim check. When Joe Smith makes a purchase, your software gives the token for Joe’s account to the payment processor, which then runs Joe’s card. From the customer’s point of view this functions exactly like having a card on file. But if hackers get into your network, there’s nothing for them to find.
3. Stop Using Unencrypted Data.
Many POS systems work like this: the customer swipes their card, the POS system reads the account number, encrypts it, and sends it to the payment processor. Encrypted data is pretty hacker-resistant. The problem is account numbers are unencrypted between the card terminal and the POS. This is a major weakness, and it’s the reason so many high profile data breaches involve POS machines.
The most secure payment method eliminates this gap. It’s called “point to point encryption” or P2PE. P2PE systems bypass the POS. Account numbers are encrypted at the credit card terminal and sent directly to the payment processor. The hardware and software are completely controlled by the payment processor and sealed off from outside parties. P2PE virtually eliminates your risk of a breach because the cardholder data is never in your system.
Ideally, when your customers bring up the Home Depot catastrophe you can tell them, “Transactions here are safe. We follow the PCI DSS, we never store your card number, and your information is always encrypted.” Businesses using DMSi’s Agility credit card module can say these things; it uses both tokenization and P2PE, which means unencrypted cardholder data never enters your system. It also eliminates the risk of data-entry mistakes from manually keying in credit card numbers. The Agility solution makes the payment process fast and convenient while reducing your business’ liability regarding the PCI DSS.
If you don’t use tokenization or P2PE and you have no idea if you’re PCI compliant, then you need to have a serious conversation about making your company more secure. There are a variety of options, but “hoping for the best” isn’t one you can afford.
This article was originally written for ProSales Online.