Published:

Secure sensitive payment data

Accepting payment cards is a given to do business today. Whether you have a brick-and-mortar or online business, your customers expect their credit and debit card payments to be secure. Neglecting to protect customers’ data throughout a payment transaction can render your business susceptible to a cyberattack. A data breach can not only do immeasurable damage to your business’ reputation, it can cost tens of thousands of dollars in penalties and fees. What can you do to help protect your business from a malicious data attack? Let’s take a look at three things to help you get started.

1. Ensure your POS does not store sensitive data

Customer data is vulnerable from the moment it enters your point-of-sale system throughout the payment transaction. If your POS is not equipped with an effective data protection solution, it is susceptible to a breach.

If you need to store customer data for future use (eg. for recurring billing or tip adjustment), make sure your POS uses tokenization technology.  Tokenization ensures there is no actual credit card data for thieves to steal.  A unique token replaces the payment card number to complete the transaction, and for storage purposes.

End-to end (E2E) data encryption is another solution to look for in your POS system. E2E masks the credit card data while it’s in transmission from the card to the POS, from the POS to the authorization network, and back.  Without E2E, when a card is swiped, the card number is recorded in clear text for a split second before the POS encrypts it, making it vulnerable to data thieves.

2. Comply with the Payment Card Industry Data Security Standard

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Even if you only process a handful of payments, you must verify your compliance with the PCI DSS. The PCI Security Standards Council has outlined everything you need to know about the PCI DSS and achieving compliance. Learn more about PCI here.

3. Take precautions regarding remote access, passwords and firewalls

Many merchants have legitimate business reasons to establish remote access connections to their POS, including allowing resellers and other vendors to manage and update software systems. If not configured and managed correctly, they can provide an easy entry point for unauthorized intruders to gain access to the POS system, and potentially to sensitive customer data.

There are several steps you can take to reduce remote access vulnerability, including limiting the number of people that can access the system remotely and using complex passwords and two-factor authentication for access in the payment environment. It’s also important to install and keep anti-virus, anti-spyware and firewalls up-to-date.

With all the moving parts involved in protecting your payments environment, it can seem like a daunting task. We recommend enlisting the help of your point of sale provider and/or payment processing provider. Their expertise can help ensure your business is taking all the necessary steps to protect customer data and adhere to PCI compliance mandates.