Protect your business with these security basics
7 April 2017
When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information and they take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards.
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including:
- point-of-sale devices;
- mobile devices, personal computers or servers;
- wireless hotspots;
- web shopping applications;
- paper-based storage systems;
- the transmission of cardholder data to service providers;
- in remote access connections.
Small business is a major target so we’ve compiled these tips to help protect your business:
About 80% of data breaches involve guessed or stolen passwords. Be aware that computer equipment and software out of the box (including your payment terminal) often come with default (pre-set) passwords such as “password” or “admin”. Hackers are aware of these pre-set passwords and they’re a frequent source of small merchant breaches. Make sure to change these default passwords to something more secure.
When programmers write the code for software they can often contain flaws or mistakes, called security holes. Hackers exploit these mistakes to break into your computer and steal account data. Make sure to ask your vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices. You may receive patches from vendors of your payment terminal, applications, cash registers, computer etc. Make sure your vendors update your payment terminals, operating systems etc. so they can support the latest security patches. It’s important to install patches as soon as possible.
“Skimming devices” sweep up your customers’ card data as it enters a payment terminal. It’s vital that you and your staff know how to spot a skimming device. You need to regularly check your payment terminals to make sure they’ve not been tampered with. It’s important you keep a record or log when checking the terminals. This should include the date, the location of the terminal, who did the check and to note if anything is found.
To check terminals, keep a list of all payment terminals and take pictures so you know what they’re supposed to look like. Look for obvious signs of tampering, such as broken seals over access cover plates or screws, odd cabling, or new devices of features you don’t recognise.
Fraud Prevention Tips
Does your business enter transactions manually through its EFTPOS terminal? It’s important to note that if a transaction is disputed you’ll be required to prove that the goods and services were provided to the authorised cardholder. If you can’t prove this, the full value of the sale may be debited from your account. This includes whether the cardholder is present or not.
If your EFTPOS terminal doesn’t accept the card when tapped, inserted or swiped we strongly suggest asking the cardholder for an alternate method of payment. You shouldn’t manually type the card number into the terminal when the cardholder is present. Never leave your EFTPOS terminal unattended or allow a customer to use it by typing in card numbers.
We recommend you review, and understanding the facts about fraud click here.
Card Data Storage
Card fraud and data compromises are an ever-increasing risk to Australian businesses. Not only does this pose a threat to your customers, it can also result in your business being liable if your risk mitigation practices are inadequate.
Major card brands including Visa, MasterCard and American Express formed the Payment Card Industry (PCI) Security Standards Council. This council was setup to help safeguard your sensitive card data and to minimise security risks. To achieve this the council established the global security standard known as the ‘Payment Card Industry Data Security Standard’ (PCI DSS). The guidelines contained in this standard are designed to help you reduce potential security issues such as credit card fraud and hacking.
To help you better understand PCI DSS we’ve provided the below table. This table illustrates the fundamental principles and their respective practises. You’ll note that these principles incorporate technology and business-related practices.
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
PCI DSS goal is to protect you and your customers through a uniformed and consistent approach to the secure handling and storage of cardholder data. PCI DSS compliance is critical in protecting your customers and your business. To stay up to date with security standards visit the PCI Security Standards Council website.
Suncorp Bank is taking steps to help our business customers determine if their customers’ cardholder information is secure. We have engaged Vectra Corporation, a PCI DSS specialist, to help you meet your PCI DSS obligations. For more information about their services you can contact Vectra Corporation on 1800 816 044 or visit the Vectra Corporation website.