Payment Security 101 (Part 1 of 2: Merchant Edition)
First Things First: What is Payment Security?
PCI compliance. PCI stands for Payment Card Industry; PCI compliance is just a fancy way of saying your customers’ credit card information is stored in such a way where it’s impossible to access entire credit card numbers inside your system.
Three common processing solutions and their possible security features (and flaws).
Physical Credit Card Terminals
Physical terminals come in two flavors: Standard and EMV-equipped, the latter of which I’ll address a little later in this post.
Standard physical terminals are ideal for small businesses dealing mostly with end-users (as opposed to other businesses), not accepting very many credit card transactions and not using any accounting software for invoicing. The one real drawback to using a terminal in this case is that any reports you have to put any data together yourself if you want to compile a report on credit card transactions, since all a terminal can do is spit out a piece of paper with dollar amounts on it – not terribly helpful, but sufficient if you don’t care much for reporting (read: your credit card volume is sufficiently small).
If you plan to use a physical black-box terminal to swipe or key in card entries, know that there aren’t any built-in security features there either – you basically just have the phone line. There’s nothing wrong with passing information through a phone line, although as long as we’re talking about security, you should know that it’s possible to hack phone lines, too.
Word to the wise: It’s extremely easy to contribute to fraud if you operate with a standard physical terminal in certain situations.
Only use a standard physical terminal if you have a short commute from terminal to office computer (or wherever you keep your books). While it’s extremely easy to simply write down someone’s credit card number so you can process your transactions in bulk at some later time, you should resist the urge to do this. Not writing down someone’s information for later use is one of the easiest ways to prevent credit card fraud in your office.
Virtual gateways are great for companies that receive any number of credit card transactions, selling to end-users or other businesses, and have a desire for reporting and need a little more convenience than a physical terminal can afford. The virtual gateways make entering card-not-present transactions or card-present transactions a breeze. Some processors can provide a computer-ready EMV virtual terminal to merchants who see a lot of swiped credit cards and want to use a virtual gateway.
The chief difference between physical terminals and virtual gateways is virtual gateways can be accessed from any computer with an internet connection, so, these sorts of solutions would be ideal for large offices or warehouses, where the sole credit card terminal would otherwise be located up a flight of stairs in the back room – because rather than run around the office, you could just accept a credit card right at your computer. The computer-based nature of these virtual gateways allows users to run all sorts of reports as well, making this solution ideal for the data-hungry.
As for payment security features, the virtual gateway has a couple of possibilities with encryption and tokenization. Essentially, encryption protects data when it’s in transit (going from the gateway to a cloud-based server, for example), and tokenization protects data when it’s at rest (inside a server).
As hackers have the ability to break into data networks and intercept data, both encryption and tokenization are absolutely vital to keeping credit card information secure, scrambling it into unusable streams of characters, recognizable only by a special algorithm
To give an idea of how powerful a technology tokenization is, for example, consider this: If retail companies Target, Home Depot, and TJ Maxx had utilized tokenized payment security solutions for their credit card processing systems, none of the data the hackers recovered could have been used to commit any fraud whatsoever, and none of the companies would have had to pay out a dime in damages. (To read more about tokenization in particular, you can check out this white paper on tokenization and what makes it relevant in today’s age.)
Encryption is usually a standard form of protection for virtual gateways, but tokenization, being a slightly newer technology, isn’t included everywhere yet. If you’re interested in having that technology for your own, you’ll have to ask your processor of choice if they can provide it to you.
And, aside from actual technological developments that help keep your data safe, the virtual terminal’s design – that it can be accessed from anywhere with an internet connection – makes the loss of data in transit (e.g. walking from one room to the next, something that could happen with a physical terminal, which is stationary) a lot less likely.
Software-Specific Processing Solutions
An integrated credit card processing software solution is key for businesses that accept a lot of credit card transactions – card-present or card-not-present – or that place high value on time savings, since the chief difference between using an integrated processing system as opposed to a standalone system for credit card processing and a standalone system for accounting is the time spent entering data. With an integrated solution, you won’t have to manually re-enter payment data into your accounting system because the software plugin you use will input the information for you. This saves time as well as reduces the possibility of errors.
As with standalone virtual gateways, some credit card processors can provide EMV card readers that plug directly into an office computer; this will transfer data from a customer’s credit card directly to your computer.
Rather than simply house credit card data like a magnetic stripe credit card does, EMV chips house unique authentication information that changes with each transaction along with necessaries like a credit card number and expiration date. The dynamic communication between the chip card and the chip reader is much harder to replicate, so credit card fraud is much more difficult to achieve with this combination (although it isn’t completely impossible to pull off).
Now, the question you’re asking: Should I buy an EMV terminal rather than a standard physical terminal if I want to use a physical terminal at all?
Yes, you should go with EMV if your business requires a physical card reader.
It will soon become the standard, and there’s no reason to avoid upgrading in the name of saving $200, especially when you’ll be liable for much more than that if your shop ever gets sacked with credit card fraud.
Any Other Tips to Protect Myself?
Simple steps business owners can take:
Hiring an IT/Security Director
Installing antivirus software on your computers
Making sure no one makes copies of anyone’s credit card information on paper.