While debate goes on about the use of technology to reduce the potential for credit card fraud, there are basic operational steps that retailers can take now to protect customer data and minimize risk. And the starting point should be to draw up a statement of standard operating procedures (SOP) for everyone in the organization.
“Make sure you have a clear written policy about how to handle credit cards,” said Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.” A company’s SOP must address the critical need of keeping sensitive customer numbers under wraps.
“Where the merchant is most vulnerable is in the accidental mishandling of card information,” said Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible.
“Employees should quickly process the card and return it,” Burnette said. “This will keep the card from being accidentally grabbed (or from having its number written down) by someone else.”
The right hardware can be as important as the right procedures. Has the company been using the same POS equipment for many years? It may be time to replace it.
“Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” explained Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges.
“You need to establish rules about passwords and about access to the computer system,” Burnette said. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to