• Tom O'Connor

Why you need a secure merchant account to minimize risk

No matter your business type or size, your merchant account should help you accept all types of payments without jeopardizing the security of your business, or your customers' identities. A good merchant account provider helps you put fraud detection/protection and card data security front-and-center. Here are some specific ways that your merchant account should be working to protect sensitive data, and your customers and your business in the process.


Assistance with PCI Compliance

If you process, accept or transmit card payments, your business and systems must be in compliance with PCI Data Security Standards (Payment Card Industry) guidelines at all times. Fall out of compliance at any time and your business is increasingly susceptible to experiencing a data breach and all the fines and headaches that go along with a breach. Achieving PCI compliance is not a one-time solution. It’s an ongoing process that you should undertake with the guidance of your payment processor.


There are three basic phases a merchant will go through when becoming PCI compliant:

  1. Assessment. The first step is to perform a comprehensive assessment of your business systems, the customer data you store and the means by which you transmit and store that data. The next step is to identify any potential vulnerabilities in your systems that will need to be addressed in order to achieve PCI compliance.

  2. Remediation. In this step, you’ll fix any vulnerabilities you identified during assessment. One of the most important tasks is removing and/or strictly limiting the storage of sensitive cardholder data, unless absolutely necessary for your business practices. You should also consider more closely controlling the user permissions of your employees so as few as possible have access to sensitive data such as full card numbers.

  3. Maintenance. Once your system is compliant, it takes vigilance to ensure compliance is maintained year-round. To achieve this, it's recommended that each merchant create a security policy that includes regular system checkups and standard operating procedures for maintaining security. Be sure to circulate your security policy to every employee, contractor, or other entity involved with your business. One of the most common vulnerabilities small merchants face is from remote access to their system used by a third-party. This type of documentation can help you track your compliance activities and may come in handy in the unfortunate event that you are breached.

PCI compliance isn't the only aspect of security merchants should be aware of. There are many additional layers of security at your disposal. Layers that can help protect your customers from having their data stolen, and you from seeing a spike in fraud chargebacks following the liability shift on October 2015 for certain types of in-store fraud. Encryption

Card data encryption helps protect your cardholders’ sensitive data over the course of the transaction. Here’s how encryption works:

  • The card is swiped, dipped, or manually entered.

  • The card number is automatically and immediately changed into an encrypted string of text and/or characters. The data remains encrypted as it is transmitted through the various points in the authorization process. The string of text has no value. So, even if a hacker intercepts the data it remains useless to the thief.

  • Once the encrypted string of text reaches your acquiring bank (or their processor) for settlement and payment, it will be securely translated back into the card number with a secure decryption key. At no point in the data transmission sequence is the actual card number revealed—only the encrypted string of text is actually transmitted across the network.

Tokenization

Whereas encryption protects data in flight, tokenization protects data at rest. Data is at rest in certain transactions where the original card number may be kept on file for future transactions. In general, it's best not to store card data at all. But some circumstances require it. One example is in a restaurant setting where a transaction is initiated to pay the check, but held so the customer can add a tip before final settlement. Another example could be a recurring charge for a subscription where the card is charged periodically. Here’s how tokenization works:

  • Before it's stored for future use, the card number is converted to a “token,” which is a reference number that stands in place of the original associated card number. If a fraudster intercepts the token, it will be meaningless and useless since the thief is unable to see actual card data.

  • Once the token reaches your acquiring bank (or their processor) for settlement and payment, the token will be securely translated back into the card number. At no point in the data transmission sequence is the actual card number revealed—only the token is actually transmitted across the network.

EMV Chip Card Acceptance

EMV chip cards have been in widespread circulation in Europe and other areas of the world for many years and are currently becoming the standard in the U.S. as well. Migration in the U.S. began with issuing banks replacing traditional magnetic stripe credit and debit cards, to cards with a data chip. Beginning October 1, 2015 fraud liability shifted from issuers to merchants, signaling the big milestone of EMV conversion. Now, failure to process a chip card in-store with an EMV-enabled chip card reader could result in the merchant receiving a chargeback if the transaction is fraudulent. Prior to the shift, merchants were not liable for this type of chargeback.


Here's how EMV chip cards work:

  • EMV cards are basically the same size and shape as traditional magnetic stripe cards. The main difference is that the EMV card is embedded with a computer chip.

  • To make a payment at a store, the customer will “dip” his or her EMV card into the EMV-enabled terminal. The card will remain in the terminal until the transaction is complete; the screen on the terminal will signal the customer when it’s safe to remove the card.

  • While the card is inserted into the terminal, a unique data set is created for that transaction. With magnetic stripe cards, the same data is used for each transaction the card initiates—thus why intercepted data could be used successfully in subsequent transactions. However, with EMV technology, any data that could be stolen would not be useful to fraudsters since it is unique to each transaction.

Make sure that the merchant account provider you select offers the latest in POS terminal technology, including the ability to accept EMV chip cards. EMV Co controls this technology; check out their website for more information.


Online Processing Protection

If you process credit card payments online, there are some additional layers of protection that you should consider implementing. Here are some of the online payments security options your merchant account provider may offer:

  • Secure socket layer (SSL). Fairly standard for websites today, an SSL creates an encrypted link between a web server (your website) and a browser (how your customers access your website). An SSL makes it more secure to transmit sensitive data between your website and your customers’ web browser. Usually when you have a SSL certificate, a padlock icon will display in the URL address bar of the web browser—denoting that your site has enhanced security. Many shoppers today know to look for this padlock icon, which provides peace of mind that a website takes their data security seriously.

  • CVV code. If you accept credit cards online, you should require that shoppers enter the CVV or CVV2 code from the back of the payment card (sometimes on the front). This three- or four-digit code provides an additional layer of authorization protection, since oftentimes fraudsters that have stolen card data won’t have this code when they attempt to run a transaction. If an invalid CVV code is entered, the card will be declined.

  • Address verification service (AVS). When a shopper makes a purchase online using a payment card, he or she should be required to enter a valid billing address. AVS checks the billing address that the shopper entered against the address that the card network has on file. As with the CVV code, fraudsters will oftentimes not have a valid billing address for a stolen card number. If an invalid billing address is entered, the card will be declined.

Your Merchant Account Provider Should Be Your Partner in Payments Security

Choosing a merchant account provider that will help your business continually secure your customers’ sensitive data is critical to the current and future success of your business. If you (or your processor) don’t take security seriously, you could be leaving your systems vulnerable to a data breach. A breach could cost you thousands of dollars in fines and damage, as well as damage your brand’s reputation for months or years to come. Partner with a payments processor that always keeps data security a top priority.


To learn more about payment security for your merchant services, contact me today!