By Rob Bertke, senior VP of research and development, Sage Payment Solutions
According to a March 13 report from the US Department of Commerce, retail sales increased 1.1 percent in February, to $421.4 billion, marking the biggest surge in the retail space since last September. Elevated sales numbers mean additional credit card transactions and, as a result, an increased risk for fraud.
A recent report from Javelin Strategy & Research found that credit card fraud has increased an alarming 87 percent since 2010 and accounted for a cumulative total loss of approximately $6 billion. Despite mounting evidence of this growing epidemic, loss as a result of credit card fraud has remained the proverbial elephant in the room for many businesses.
Organizations need to increase their awareness of this growing threat and the rather simple steps they can take to prepare themselves. Here are five tips for businesses of all sizes to keep in mind as they navigate through the economic climate in 2013 and beyond:
1. Immediately deal with any breach. It's critical to understand that even if all cautious, conservative steps are taken and the best payment processing security is installed, a breach can still occur. If it does, you must have detailed credit card sales records to refer back to as a means of retracing your steps. This will help in determining when and where the breach took place and mitigating the potential for additional losses. Furthermore, a proper assessment of the initial attack may ultimately provide a trail back to the source of the breach.
2. Maintain Payment Card Industry (PCI) compliance. Not only is it against card brand regulations if you're not PCI compliant when accepting credit or debit cards, it's also an absolute must in today's economic climate. Make certain your payment processing software security is current and is Payment Application Data Security Standard (PA-DSS) certified and that your business receives its Payment Card Industry Data Security Standard (PCI-DSS) certification.
PCI certification provides a level of confidence and assurance that a processor has allowed and passed a robust set of best practices for securing the information being processed when credit card payments are made. There's no silver bullet here. You have a responsibility to protect your customer's credit card information, just like you should be protecting all of your customer data.
The depth of the audit required will depend on your business volume and systems, but a full PCI audit will offer a scorecard across your business' payments environment, including all connected back-office applications, allowing you to make critical changes before security holes are exposed by thieves.
3. Use end-to-end encryption for all sensitive data. End-to-end encryption (E2EE) essentially boils down to scrambling the data sent from one device to another. It starts with your payment capture devices and goes all the way to the transaction being authorized. E2EE technology prevents the card account data from being stolen electronically and lessens the cost and impact for your business to become PCI certified. A company's mobile payment devices, credit card terminals, software applications, and online payment portals need built-in encryption functionality when transmitting customer information. Your company should select a technically savvy payments provider. Look for a partner that supports E2EE technology. You'll need to balance cost versus product and service here. Using the low-cost provider could come at the expense of limited product functionality, potential security holes, and lower levels of customer service.
4. Prevent tampering. Make certain all employees tasked with the responsibility of accepting credit and debit cards from customers have a working understanding of the look and functionality of the payment processing equipment they're using. Scammers often try to tamper with a business' payment processing equipment in an effort to steal credit card information. Altered equipment usually consists of a small piece of hardware physically attached to the terminal itself. An attentive employee who knows what to look for should be able to easily identify an extra attachment to the device or oddly functioning software.
5. Refrain from storing credit card numbers. To avoid one of the biggest PCI compliance risks, you should do everything in your power to not store credit cards numbers. Look for a payments provider whose platform is designed so credit card information is never stored at your business site or on your business software. Your provider should be able to process the transaction and then store your customers' card information in a secure "vault" in the Cloud. They should provide you with an encrypted ID, so when you want to do another transaction for that same customer, your software can pass the payments provider the encrypted ID so your company never comes in contact with the stored credit card data.
It's reasonable to have a healthy level of economic optimism, but critical to take the necessary precautions to protect your company's assets and security. Apply these tips to help ensure credit card scammers aren't given the opportunity to steal the fruits of your labor.
About the author:
Rob Bertke is senior vice president of research and development at Sage Payment Solutions, a division of Sage North America. Bertke has been in the commercial payments and business-to-business electronic commerce industry for fifteen years. In 1995, he helped Wachovia Bank release its first commercial card products by creating a technology solution for card transaction general ledger (GL) coding and management information reporting. He left Wachovia in 1997 to join the American Express Technical Consulting team, where he was a member of the ANSI X12 committee developing card-specific electronic data interchange (EDI) transactions and acted as product manager and technical consultant for key e-commerce initiatives.