With all the press the recent massive security breaches at Target, Neiman Marcus, and others, merchants must now go the extra mile to ensure that their payment systems are secure when consumers use debit or credit cards. Not only is it important to consumers to feel that their data is safe, it is also equally important to the merchant’s brand to avoid the negative publicity and damage to their brand that result in possible loss of business or hefty fines. Many merchants are unsure of the steps to take to ensure security.
Merchants should limit access to their payment processing equipment to avoid the possibility of tampering. Stop and Shop an East Cost grocery store, for example, discovered that thieves had tampered with their processing equipment so that it broadcast customer data back to the thieves. They were able to get physical access to these machines to tamper with them.
To help prevent this problem, secure equipment in position so that thieves can’t easily swap it for compromised lookalikes. In addition, never allow service people to access the equipment until their identities have been verified along with the reason for the service call. Last, make sure to position the equipment in a way that prevents people from easily seeing customer’s passwords or pin numbers.
Limit access to your internal offices servers as part of your security protocol. This can help ensure that unauthorized people don’t have access to sensitive customer data. And when possible, use electronic access methods such as access cards to record the identities of people who enter the server room.
Help ensure that the network and your equipment is secure by installing vendor patches promptly, running a secure firewall and using up to date malware protection. These may include patches from your Point-of-Sale vendor, customer databases or workstation operating systems.
Each employee with access to the systems should have their own account and password, and IT should set up audit trails that monitor access and usage. In addition, encrypt all sensitive data, such as customer names, addresses, PINs and account numbers during transmission, and only store the minimum amount of data necessary to run the business.
The PCI Security Standards Council, a consortium of the major payment companies including VISA, MasterCard and American Express, publishes a list of guidelines for merchants. They also require a quarterly systems audit report to enable quick identification of security lapses.
The faster the security measures in place identify the breach, the less damage there will be as a result. In the Neiman Marcus breach, the tampering continued for at least six months before it was discovered, according to recent reports.
Choosing the right partner can also make a difference. When evaluating payment partners, be sure they explain all the measures they have in place to secure the equipment during installation, operation and potential repairs, as well as for secure information transmission.
Merchants can help to prevent security breaches with in-house procedures designed to prevent and detect intrusions quickly, but even with the best procedures, maintaining security will always require vigilance. To learn more about our merchant card services, please feel free to contact us.