Providing customers with secure payment options is good for your brand and your bottom line. A data breach could result in fines from the payment card brands and remediation costs in the event of cardholder data loss – this is in addition to loss of business and your brand reputation.
What is a Data Compromise?
A data compromise occurs when cardholder data has been lost or stolen, typically (but not limited to) by:
- Theft of property that includes cardholder data
- Stolen laptops or computer files
- Missing or stolen reports that may contain cardholder data
- Unlawful theft of cardholder data by an employee
Computer forensics investigations on breaches have shown that many occurred because of the following:
- No or ineffective firewall separating the merchant’s network from the internet. Lacking a firewall allows an intruder open and direct access into your company’s computers.
- Software that is not updated with current security patches that address known vulnerabilities.
- No anti-virus protection. Having an updated anti-virus can detect and stop malicious software that is designed to steal cardholder data.
- The “out of the box” default password was not changed to one that is hard to guess, making it easy for intruders to “guess” the password and gain access into your systems.
- Tampering of the payment device. Older terminals lack good physical safeguards. In these cases, a ‘skimmer’ or a device that secretly records the cardholder data and sends it to the criminals unnoticed.
As a merchant, keeping informed of Payment Card Industry Data Security Standards (PCI DSS), the payment card brands mandates and becoming and staying compliant are important for your business.
How Can You Protect Customer Cardholder Data?
PCI DSS is a worldwide security standard designed to help merchants protect their business. The guidelines, measures and controls have been developed to help you implement strong security precautions to protect customer card data.
Here are eight quick steps to help get you started1:
- Use only approved PIN entry devices at your Point Of Sale (POS)
- Use only validated payment software at your POS
- Do not store any sensitive cardholder data in computers or on paper
- Use a firewall on your network and PCs
- Make sure your wireless router is password protected and uses encryption
- Use strong passwords. Be sure to change default passwords on hardware and software
- Regularly check PIN entry devices to make sure no one has installed skimming devices
- Teach your employees about security and protecting cardholder data
Protect Your POS Equipment
Criminals are increasingly targeting POS systems as a way of stealing payment card data.
There are a few ways your POS can be compromised. One is with skimming devices that can read PINs and cardholder information. Others have successfully used miniature cameras or video recording devices to obtain the information they are seeking.
To help avoid being compromised, here are some recommendations:
- Protect Your Equipment. Inspect your devices at the beginning and end of each day or shift for signs of tampering, confirm serial numbers and ensure there are no missing screws or no new holes have been made to the devices.
- Safeguard the Equipment in the POS Area. To help prevent criminals swapping your equipment for their own, use secure stands, tethers and security cables and hide equipment when not in use. You should also install your own security cameras and check the space for hidden cameras or unauthorized recording devices.
- Teach Your Staff How to Recognize and Prevent Equipment Tampering. Help employees recognize the signs of equipment tampering; validate all equipment service and repair technicians.
When accepting credit and debit cards it’s important to take steps to protect your business from fraud and data security breaches. By staying up-to-date on the latest in POS payment solutions, education and training, you can help protect your business from a compromise.