Fraud Prevention Pt. 1: Protect Your Business Against Data Breaches
Fraudsters accessing sensitive credit card data processed by your company can pose a financial risk to your business.
Known as data breach, credit card data theft happens all too frequently. Reports about major data breaches surface multiple times a year, but small merchants are sometimes unaware of the risk data breaches can pose to their business and the requirements to be compliant with the Payment Card Industry (PCI) Data Security Standard guidelines.
The Verizon 2012 Data Breach Investigation Report found that more than 70% of businesses breached had fewer than 100 employees and 96% were not Payment Card Industry (PCI) compliant. Cybercriminals, the report noted, look for ways to carry out large numbers of attacks quickly without much resistance and unfortunately small businesses are ideal targets.
Data breaches are also costly. The 2011 Cost of Data Breach Study: United Statesconducted by the Ponemon Institute reported that data breaches cost merchants an average $194 for each record stolen.
Fortunately, there are relatively easy and affordable security procedures small businesses can implement to be PCI compliant and help deter criminals. Here are seven ways to protect your business from credit card fraud:
1. Don’t store customer credit card data on your own system
Action: Set up your online shopping cart so credit card data is passed directly to the payment gateway and not stored on your own server or network. If the data must be stored for future transactions, choose a PCI-compliant third party provider to store the data and enable you to rebill the customer using a customer ID code or “token” instead of storing the credit card information yourself.
2. Limit access
Action: The computer or POS device used to process credit cards should not be connected to your general office network. This will help prevent computer viruses and password “sniffers” from infiltrating your payment processing system via your computer network. Also ensure sensitive customer data is not stored in spreadsheets, on your scanner hard drives, on USB drives, or on paper.
3. Use strong passwords
Action: Change the default usernames and passwords used to access your firewall, router, server administrative tools, POS devices and any other access points. If a service provider manages those things for you, ask them to verify they have changed the defaults. Do not use short or easy to guess passwords, such as “password” or your first name. Instead use a mix of letters and numbers that are at least eight characters long and are difficult to guess. Change the passwords frequently. For tips on creating secure password see this article on Slate. Provide separate logins for each employee who interacts with customer data. Remove access immediately for any employee who leaves your company.
4. Update your online security systems
Action: Keep all virus and malware software up-to-date, and be sure all security patches for your computers and servers are installed as soon as they are released. Unless you have an in-house IT person who monitors such things for you, the best way to stay on top of virus updates and personal computer security patches is to allow the software to automatically install updates when they are released. This can be daily for virus software. If you have your own web server, instruct the team that manages it to install all patches and virus software upgrades as they become available.
5.Train your employees
Action: Provide data security training and regular reminders to your employees. They must know and follow your procedures and policies at all times. The US Federal Trade Commission has a helpful guide to creating security policies for small businesses. Another excellent source of information for small businesses, including resources for training employees, is called On Guard Online and is managed by theUS Federal Trade Commission in conjunction with several other US government agencies.
6. Security doesn’t stop with your business
Action: All companies to which you outsource any element of transaction processing and storage need to be PCI compliant. Large third-party providers should have information about this on their website. Ask smaller companies to give you a written document stating they are PCI compliant.
7. Review regularly
Action: Create a security checklist for your company listing all the security tasks you need to review on a regular basis. This should include reviewing your computer networks, passwords and security software; the Better Business Bureau provides a comprehensive list of what to review. Be sure your company completes and passes a quarterly network vulnerability scan of its network. Use a vendor recommended by your merchant account provider, or find one here: approved scanning vendor. Also familiarize yourself with additional information about PCI compliance available from the PCI Security Standards Council. These documents tell you more about the security procedures you are required to follow.
By implementing the above seven best practices, you can help protect your business against data breaches and be PCI compliant.
Originally Published Aug. 14, 2012.