There are many reasons as to why it is important for business owners to be mindful of your payments. First, it’s your revenue, do you really want hackers to take from you what you work really hard to earn? Second, if you are not vigilant in your quest for security around payments, how long do you think your customers will remain loyal to your business? Payment security isn’t a sexy topic. It’s often a scary one. Anyone that owns a hotel or restaurant or store understand that without having the ability to process payments, they couldn’t do things like make payroll, keep the lights on or deliver their products and services.
I’m being a bit trite here for a moment, because every time I speak to a new prospect and hear the question “Do I really have to make sure my payments are secure, we’re just a small operation,” I go a little bit crazy.
Yes you do, regardless of your size, you have to be aware and maybe even a little concerned about payment security. You have to do your part to protect your brand, your business and most importantly your customer’s financial security. People that check in to your hotel, eat in your restaurant or shop in your store, are counting on you to not make the news.They are counting on you to handle their money as you would your own, securely.
There’s a lot of talk about EMV (Chip & Pin/Signature), P2PE (Point-to-Point Encryption) and tokenization but do you really understand how and what measures to take to ensure you’re secure? Here are 5 things to consider as you plan your payment security strategy:
- Do you need to have tokenization?
Yes. Tokenization actually replaces the cardholder data in your iPOS (integrated Point of Sale) system with a representative number. If someone were to steal your server and all they had were tokens, how far to you think they would get in using them?
- If I have tokenization, do I really need P2PE?
Yes. P2PE is your first defense against hackers. When you swipe a customer’s card, using a P2PE solution you are ensuring the information even for the briefest moment is being protected (encrypted).
- So, if I have tokenization and P2PE do I really then have to hurry up and implement EMV by October, 2015?
It depends. Not really an answer right? What I mean by that is, it depends on what your business risk tolerance is as to whether or not you should rush to implement EMV by the liability shift date of October, 2015. The most important consideration is realizing that the October 2015 date is not a mandate. There are no fines or penalties if a merchant does not want to implement EMV by this deadline. Instead, a liability shift will occur, relating specifically to counterfeit fraud (and in the case of MasterCard, lost & stolen fraud if the bank card issuer is PIN preferring). What this means is that the decision of when to implement EMV is based on the merchant’s assessment of their risk assessment, weighing their fraud risk against the cost of their EMV implementation. It is important to realize that a merchant’s risk may be higher than what they see via chargebacks today, in that often the issuer assumes the liability without ever initiating a chargeback to the merchant. Merchants should discuss this with their processor to gain an accurate perspective on their potential liability. There are a few factors to consider when evaluating your EMV strategy and planning.
a. What do your current chargebacks look like monthly?
b. How tolerant of risk is your business?
Talk to your payments security advisor, your bank, your QSA and build your EMV plan around your business needs.
- Just like your personal accounts monitor your bank statements each month. Be on the look- out for things like multiple transactions from same card numbers. It may seem like a lot of work, but in the end protecting your customer’s payment data is protecting your revenue and your business.
- Be aware. Sounds pretty simple. Be aware of who your customers are, your bank statements, balance sheets, P&L, policies and procedures and most importantly be aware of anything unusual. Make sure your iPOS is PCI compliant and your networks are locked down and protected. If you haven’t put in place policies that require regular password changes – do so now. It’s your business and you need to protect it.
There are a lot of things happening in the news, we frequently hear of breaches but what we don’t hear about are the unsuccessful hacks. The many attempts by hackers to steal data and fail.