It’s a beautiful Monday morning and you are a business owner or an executive director of a non-profit or a city manager of a mid-sized city and the first phone call that you take when you arrive at the office is one of the card companies informing you that your payment processing solution has been breached. Customers, donors and tax payers’ financial data are now on the “Dark Web” for sale to the highest bidder. Do you think that your business is worth more or less than it was before the breach? Do you think that you will have more or less donations to your non-profit? Do you think the breach will sit well with tax payers? Do you wish you had taken security measures with respect to your payment processing more seriously?
Unfortunately, many organizations come to security maturity in the worst possible way—a breach of their customers’ data. Breaches can occur with all types of data within an organization and most security measures include strengthening firewalls and updating passwords frequently. Payment Processing—the acceptance of credit, debit, prepaid and purchase cards—requires its own unique, multi-layered security and compliance solution.
Organizations now have the ability to take payments in a myriad of methods including:
- eCommerce—Performed via an online payment portal. Sometimes referred to as a “virtual terminal”
- Point of Sale System—Today’s version of a cash register. Typically utilized with a cash drawer and separate printer
- Terminal—Typically a counter- or desk-top device that accepts card payments at the point of purchase. The printer is embedded within the device and produces merchant and customer copies. Some have attached pin pads for EMV card acceptance; others have the EMV slot within the device. Certain pin pads also have NFC (Near Field Communication) to accept Apple Pay, Google Wallet, Android Pay and other virtual cards.
- Mobile Payments—Card readers are attached to a smart phone or tablet and have the functionality to take payments anywhere. Typically a cloud-based app is available with the solution as well
- Recurring Payments—Customers enter their card information into a data base and agree to monthly, quarterly or annual payments. Similar to a subscription service.
With the many types of payment options available to merchants, implementation of a robust security solution absolutely has to occur because the referenced applications cut across many mediums. In addition to a well-maintained firewall and tightly monitored policy and procedure program with respect to handling of the public’s card information, the minimum security solutions must be employed:
- EMV protocols—Europay-MasterCard-VISA compliance which is typically referred to as the “chip” card. This technology employs a microprocessor chip in place of utilization of the magnetized strip on the back of a debit or credit card
- PCI compliance—Payment Card Industry compliance which outlines protocols for card acceptance and an annual survey which is completed depending on the manner in which a card is processed by the merchant
- E2E Encryption and Tokenization—Truncating of card numbers and assigning specific tokens to each transaction provides an exceptionally secure transaction that even if compromised is deemed worthless by a cyber thief
Finally, even with scrupulous attention to payment processing security, breaches may occur. Implementing a payment processing security program does not insure that a breach doesn’t occur but it DOES make your organization much less of a target. Cyber criminals are by-and-large lazy. They are on the hunt for the lowest hanging fruit to steal and convert into easy money. Once your system is identified as having implemented a highly secure payment processing solution, these thieves will move on to a less secure victim.
Don’t let your organization be an easy target!