The data breach at The Home Depot reignited many dealers’ fears about security, sending them rushing to calm nervous customers while secretly stoking their concern about such risks. The ins and outs of data security can seem overwhelming, especially if you aren’t an IT geek, but simply “hoping for the best” is always a lousy course of action. The following strategies address common weak points for many businesses.
1. Follow PCI Requirements
If you’ve dealt with the payment side of your business, you’ve probably heard the term “PCI compliant.” If something is PCI compliant, it meets a set of benchmarks called the PCI DSS (Payment Card Industry Data Security Standards). The PCI DSS applies to any business that accepts credit cards. The guidelines may deal with data security, but they aren’t overly technical. For instance, one of the points is “limit employee access to cardholder information.” (In other words, lock up any documents that display account numbers.) You can find all 12 requirements at pcisecuritystandards.org. Do an internal audit to find out if your business meets these basic standards, and come up with a plan to close any gaps.
2. Don’t Keep Cards on File
Many dealers keep customer card numbers in their POS software, a spreadsheet, or written notes. Customers appreciate the convenience, but it makes your business an attractive target. The information is vulnerable to anyone who accesses your system (or your file cabinets).
Instead of keeping cards on file, use a method called “tokenization.” With tokenization, your payment processor stores card numbers for you and gives your system a “token” for each one. Think of it as a digital claim check. When Joe Smith makes a purchase, your software gives the token for Joe’s account to the payment processor, which then runs Joe’s card. From the customer’s point of view, this functions exactly like having a card on file. But if hackers get into your network, there’s nothing for them to find.
3. Stop Using Unencrypted Data
Many POS systems work like this: The customer swipes his card, the POS system reads the account number, encrypts it, and sends it to the payment processor. Encrypted data is pretty hacker-resistant. The problem is that account numbers are unencrypted between the card terminal and the POS. This is a major weakness, and it’s the reason why so many high-profile data breaches involve POS machines.
The most secure payment method eliminates this gap. It’s called “point-to-point encryption” or P2PE. These systems bypass the POS. Account numbers are encrypted at the credit card terminal and are sent directly to the payment processor. The hardware and software are completely controlled by the payment processor and are sealed off from outside parties. P2PE virtually eliminates your risk of a breach because the cardholder data is never in your system.