What do you need to protect customer payments?
14 million. No, you don’t need 14 million dollars to protect customer payments. But it’s an important number to be aware of nonetheless, because it’s the number of U.S. small businesses that have been breached, according to the 2016 State of SMB Cybersecurity Report.
Although many small businesses think they are too insignificant to be of interest to cyber thieves, exactly the opposite is true. Security experts agree that hackers eye small businesses precisely because of their size—and because they are less likely to put the necessary resources toward protecting themselves. In fact, SMBs are the target of 62% of all cyber-attacks, which amounts to approximately 4,000 per day.
While merchants may be downplaying their risk, consumers aren’t. According to a recent survey by Vantiv, nearly one-third (29%) of consumers think it is likely their card information will be stolen as a result of a data breach within the next two to three years. And while most consumers (75%) feel the responsibility of a data breach lies with the credit card issuer, more have placed the responsibility of fraud protection on the merchant compared to two years ago (64% vs. 44%).
Implementing payment and data security measures can be a daunting undertaking, but the risks of not doing so are greater. Costs for a data breach can break a small business; the U.S. National Cyber Security Alliance reports that 60 percent of small businesses close their doors within six months of experiencing an attack.
While no business is immune, the retail and hospitality industries experience the most compromises, at 23 percent and 14 percent respectively. Twenty-four percent of consumers surveyed by Vantiv have been the victim of a data breach at a retailer or restaurant where they have shopped or dined. And it doesn’t appear that U.S. retailers are learning from past cybersecurity mistakes—more than half of those that were breached had also experienced a breach previously.
These are scary numbers to take in. Let’s take a look at how you can protect your customers’ payments and keep your business from becoming part of a fraud statistic.
The tools you need
A good place to begin is by evaluating your breach prevention toolkit. Do you have one, and if so, is it equipped with the necessary components to protect your business? The most effective breach toolkit includes solutions that help prevent a breach, as well as those that mitigate the financial effects if one does occur. Specifically, your toolkit should include the following five components:
- EMV — to accept chip cards to process card-present transactions more safely, and help merchants meet the fraud chargeback liability shift of October 2015.
- Encryption and tokenization — to protect sensitive card data before, during, and after the transaction is processed.
- Anti-fraud services — to proactively address threats and mitigate issues before they occur.
- PCI compliance assistance — to secure systems and provide a general framework for protecting cardholder data and complying with industry mandates.
- Breach protection — to safeguard your business with financial protection in the event that a breach occurs.
One of the hallmarks of an effective breach toolkit is that all of these components are consolidated under one provider. Spreading out the pieces among various providers not only makes management cumbersome, but can also result in vulnerabilities within the overall system.
Best practices in payment security
Although the tools listed above are invaluable and necessary, they aren’t the only thing businesses need to protect customer payments. They also need to follow best practices for detecting fraud. With every dollar of fraud costing U.S. merchants more than twice that amount, businesses can’t afford not to.
Here are three common fraud scenarios, and best practices to avoid falling prey:
- Wire fraud — a customer overpays for a large order, and requests that the merchant wire the overpayment amount to them or someone else. But the sale does not go through and instead, the merchant loses money. Best practice: don’t agree to wire money to anyone, even if the potential of a large sale depends on it.
- Force auth fraud — a customer requests that the merchant force an authorization of their card when it’s declined by using a fake authorization code. This results in a chargeback for which the merchant is liable. Best practice: don’t ever force a sale using a “code” from a customer, and always follow the usual steps for securely processing a transaction.
- Gift card fraud — a customer returns stolen goods in exchange for a gift card. Best practice: always require a receipt and a customer ID for returns.
Following these best practices, as well as being aware of red flags for suspicious customer behavior, can protect your customers and your business. Keep records of signed receipts and be prudent about issuing refunds. Also, let your customers know about your security practices upfront. They will feel better knowing you are exercising due diligence to protect their payments.
Monitoring your efforts
Lastly, it’s important to monitor your efforts to protect customer payments. This involves running quarterly scans to detect system vulnerabilities, implementing robust business intelligence tools, and developing a plan to deal with a breach if one occurs.
Quarterly system scans are just one of the requirements merchants must follow to meet PCI-DSS standards. The automated, non-intrusive scans assess a business’s network and web applications from the external facing IP address to identify vulnerabilities that a hacker could use to gain access into the network.
In-depth business intelligence tools provide details that can help you make necessary adjustments in your security efforts. For example, if your customers are voicing concerns on social media and review sites about the manner in which your business is addressing card security, you’ll find out right away so you can address the issues.
A plan to follow up with customers if your business is breached will go a long way to rebuild customer trust. It makes good business sense, and is a common practice—only 22 percent of consumers who were victims of a data breach reported that the breached retailer or restaurant did nothing to notify them of the breach. Your plan can include written notification either by a letter or email, and offering to pay for credit and ID theft monitoring services for a specified amount of time.
Peace of mind
Whether you run a bakery or a boutique, you want customer payments to be safe. You want to ensure that your business and your profits are protected from potential damage inflicted by data breaches and fraudulent transactions.
But you don’t have to be an expert in payments security, systems or fraud detection. Turn to a trusted payments partner, like Vantiv, for the expertise to make payments security simple. From card data security to fraud protection and PCI compliance, contact us to learn how you can reduce risk and build peace of mind into your payments, so you can sell more and worry less.