2015 was a busy year for the payments industry: EMV, liability shift, mobile payments, PCI, encryption and the list goes on from there. As I worked with the team here at iQmetrix to prepare for the October liability shift, retailers were all over the board in their plans to deploy EMV. Some were clueless, others scared, and still others only slightly educated.
No matter your stance on EMV, there are some basic, simple, and yes, affordable steps your business can take to protect from hackers and thieves. I took the top 5 security best practices from a recent whitepaper from ControlScan and provided some further details and explanation. Feel free to download the original whitepaper here.
Merchant Security Best Practices
1. Understand your sensitive data, where it is and who is responsible for its protection.
- While the growing concern is around credit cards and card-holder data, it is important not to forgot about other sensitive data like social security and drivers license numbers, as well as home and email addresses for your staff and vendors.
- Keep an eye out for questionable emails. Many phishing emails appear to originate from a trusted source (like bank or credit card companies). Verify the source before sending along any sensitive data.
2. Avoid storing sensitive data – and if you have to, secure it!
- Limit access to sensitive data to only those that need it. All with access should have unique credentials. It is a good rule of thumb to never store card-holder data and certainly don’t ever email or fax credit card information. If card-holder data is transferred over the phone, for example, make sure the rep is inputting the number directly into the payment application (versus writing it down on paper first and then transferring it).
3. Protect your perimeter with firewalls; ensure you don’t leave back doors open.
- The best protection is a multi-layered approach. It isn’t enough to have just a firewall. That firewall must be properly configured. In addition, ensure password procedures are put in place. One can simply turn to Google to come up with a plethora of suggestions for strong passwords.
4. Fortify your interior with people, procedures and technology.
- Internal threats are much more likely than external. Increasing employees' awareness over security is never a bad idea. Did you know the PCI Security Standards Council deems it mandatory for all merchants to conduct employee training?
- In addition to training, keep access to areas that store sensitive data restricted. Limiting exposure and temptation are sure fire ways to reduce your internal risk.
5. Know your service providers and their state of PCI DSS compliance.
- Visa and Mastercard keep lists of PCI-DSS compliant service providers. Check up on the status of your service providers annually.