While debate goes on about the use of technology to reduce the potential for credit card fraud, there are basic operational steps that retailers can take now to protect customer data and minimize risk. And the starting point should be to draw up a statement of standard operating procedures (SOP) for everyone in the organization.
“Make sure you have a clear written policy about how to handle credit cards,” said Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.” A company’s SOP must address the critical need of keeping sensitive customer numbers under wraps.
“Where the merchant is most vulnerable is in the accidental mishandling of card information,” said Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible.
“Employees should quickly process the card and return it,” Burnette said. “This will keep the card from being accidentally grabbed (or from having its number written down) by someone else.”
The right hardware can be as important as the right procedures. Has the company been using the same POS equipment for many years? It may be time to replace it.
“Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” explained Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges.
“You need to establish rules about passwords and about access to the computer system,” Burnette said. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual’s job.”
It is recommended to use only hardware and software that have been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). A company should make sure it uses a fire-wall, and that its wireless router is password-protected and uses encryption. And change the default hardware passwords to complex ones.
“Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant,” he added.
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need.
“Follow the rule that says ‘if you do not need customer information you should not keep it,’” said Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably.
Added Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.”
Phil Perry is a New York-based business writer.