Your browser version is no longer supported, so you may experience issues while using this site.
Please upgrade to a current browser to enjoy the best experience.

Protect your business with these security basics

7 April 2017

When your payment card data is breached, the fallout can strike quickly. Your customers lose trust in your ability to protect their personal information and they take their business elsewhere. There are potential financial penalties and damages from lawsuits, and your business may lose the ability to accept payment cards.

Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including:

  • point-of-sale devices;
  • mobile devices, personal computers or servers;
  • wireless hotspots;
  • web shopping applications;
  • paper-based storage systems;
  • the transmission of cardholder data to service providers;
  • in remote access connections.

Small business is a major target so we’ve compiled these tips to help protect your business:

Hackers

About 80% of data breaches involve guessed or stolen passwords. Be aware that computer equipment and software out of the box (including your payment terminal) often come with default (pre-set) passwords such as “password” or “admin”. Hackers are aware of these pre-set passwords and they’re a frequent source of small merchant breaches. Make sure to change these default passwords to something more secure.

When programmers write the code for software they can often contain flaws or mistakes, called security holes. Hackers exploit these mistakes to break into your computer and steal account data. Make sure to ask your vendor or service provider how it notifies you of new security patches, and make sure you receive and read these notices. You may receive patches from vendors of your payment terminal, applications, cash registers, computer etc. Make sure your vendors update your payment terminals, operating systems etc. so they can support the latest security patches. It’s important to install patches as soon as possible.

Skimming Devices

“Skimming devices” sweep up your customers’ card data as it enters a payment terminal. It’s vital that you and your staff know how to spot a skimming device. You need to regularly check your payment terminals to make sure they’ve not been tampered with. It’s important you keep a record or log when checking the terminals. This should include the date, the location of the terminal, who did the check and to note if anything is found.

To check terminals, keep a list of all payment terminals and take pictures so you know what they’re supposed to look like. Look for obvious signs of tampering, such as broken seals over access cover plates or screws, odd cabling, or new devices of features you don’t recognise.

Fraud Prevention Tips

Does your business enter transactions manually through its EFTPOS terminal? It’s important to note that if a transaction is disputed you’ll be required to prove that the goods and services were provided to the authorised cardholder. If you can’t prove this, the full value of the sale may be debited from your account. This includes whether the cardholder is present or not.

If your EFTPOS terminal doesn’t accept the card when tapped, inserted or swiped we strongly suggest asking the cardholder for an alternate method of payment. You shouldn’t manually type the card number into the terminal when the cardholder is present. Never leave your EFTPOS terminal unattended or allow a customer to use it by typing in card numbers.

We recommend you review, and understanding the facts about fraud click here.

Card Data Storage

Card fraud and data compromises are an ever-increasing risk to Australian businesses. Not only does this pose a threat to your customers, it can also result in your business being liable if your risk mitigation practices are inadequate.

Major card brands including Visa, MasterCard and American Express formed the Payment Card Industry (PCI) Security Standards Council. This council was setup to help safeguard your sensitive card data and to minimise security risks. To achieve this the council established the global security standard known as the ‘Payment Card Industry Data Security Standard’ (PCI DSS). The guidelines contained in this standard are designed to help you reduce potential security issues such as credit card fraud and hacking.

To help you better understand PCI DSS we’ve provided the below table. This table illustrates the fundamental principles and their respective practises. You’ll note that these principles incorporate technology and business-related practices.

Principles
PCI DSS Practices
Build and maintain a secure network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement strong access control measures
  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly monitor and test networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an information security policy
  1. Maintain a policy that addresses information security

PCI DSS goal is to protect you and your customers through a uniformed and consistent approach to the secure handling and storage of cardholder data. PCI DSS compliance is critical in protecting your customers and your business. To stay up to date with security standards visit the PCI Security Standards Council website.

Suncorp Bank is taking steps to help our business customers determine if their customers’ cardholder information is secure. We have engaged Vectra Corporation, a PCI DSS specialist, to help you meet your PCI DSS obligations. For more information about their services you can contact Vectra Corporation on 1800 816 044 or visit the Vectra Corporation website.