Card Payment Security – What small businesses need to knowProduct Information 10 July 2018
Card payment security is serious stuff.
Security always matters. It matters even more when it comes to getting paid. When you accept a card payment, you and your customer share sensitive, financial information – it’s your job to protect this data. It might sound daunting, but don’t worry, we’re here to guide you every step of the way (12 to be exact).
Why you need to secure your payment systems
If you take card payments, you can’t get away from PCI DSS (the Payment Card Industry Data Security Standard). These are regulations you have to meet to keep both you and your customers safe from data theft.
So who oversees all this? The PCI Security Standards Council. They ask for all major card types (like Visa, Mastercard and American Express), payment service providers, banks, and any other organisations that process card payments to prove they’re PCI compliant. If you’re non-compliant, you can be charged a monthly fee.
The 12 steps to secure card payments
So how do you get compliant? There are 12 requirements to meet PCI standards, which might mean you have to update your systems, including software and hardware. This can be a tad expensive. Don’t fret though, you might already have some of these.
Build and maintain a secure network
1. Install and maintain a firewall
What’s a firewall? They protect information which passes through an open network. Installing a firewall keeps transactions closed and away from prying eyes.
2. Change default passwords
Password ‘1, 2, 3’ won’t cut it (incredibly, 1 in 5 users have this as their password). It’s always a good idea to change default passwords to something unique. This is the first port of call against internal hacking.
Protect cardholder data
3. Always keep data safe
Data must be protected, not just for a one-off transaction but for years – until it’s either wiped or the customer changes their information.
4. Encrypt public networks
Selling online? A public network is open to anyone, so you’ll need protect the transmission of cardholder data with an encryption – this converts information into a code in order to prevent unauthorised access.
Maintain a vulnerability management program
5. Use and update anti-virus software
Viruses and malware can lead to corruption or file theft. That’s why it’s important to regularly run anti-virus checks and update your software.
6. Develop and maintain secure systems
Leave no stone unturned. If your business builds a new system or application, it’s important to maintain security. This might mean developing tools to make sure user data stays protected.
Implement strong access control measures
7. Restrict access to data
Never give employees or third parties access to individual customer data. By combining customer accounts into one database, employees can make one change to all accounts without ever seeing an individual ID.
8. Assign a unique ID to each person
If all admins shared the same ID, it’d be easy for someone to breach security. Giving out unique IDs allows a business to keep an eye on what each employee does on the system.
9. Restrict physical access to data
Closely monitor servers and storage rooms. Only give access to staff with security clearance (usually the IT department), so not just anyone can interfere with the physical part of the system.
Regularly monitor and test networks
10. Track and monitor all access to the network
How can you track all transactions at once? File monitoring software can flag up anything suspicious.
11. Test security systems and processes
New viruses and threats can crop up within days of a system’s last check-up – it’s a scary thought. But with regular testing, you can stay on top of any weaknesses that might compromise your security.
Maintain an information security policy
12. Maintain a policy that addresses information security.
While you might already have some of the above, formalising these measures is good practice and ensures that they’re in a position to be maintained. This can also help you avoid liability.
What about secure payments online?
All the steps above apply to online, over the phone and face-to-face / in store card payments. When you apply to become PCI compliant, your compliance covers all different ways of taking card payments. And that’s the reason why the checklists of the process are extensive.
Remember: We can help you become PCI compliant over the phone.
You’ll need to complete a PCI self-assessment form every 12 months to stay complaint. This can be up to 300 questions. Luckily, we have you covered. We make compliance a snip. We give you a nudge when compliance needs to be renewed, then guide you through the whole process without any costly mistakes.
When you sign up to us, we’ll send you login details to our PCI Portal. This allows you to fill out your self-assessment and report your compliance all in one go. Or call us and we’ll talk you through the whole process while you’re on the line.
Keeping your customers’ data secure is serious stuff – it doesn’t have to be painful. Once we’ve taken you through the whole process, you’ll have peace of mind knowing your business and your customer’s financial information is protected. We’re with you from start to finish.