8 Tips for Merchants: Protecting your customers’ card data

Protecting your customers’ card data, sensitive as it is, is one of the top priorities when it comes to payment processing. The new reality that Covid-19 has brought is forcing many small businesses to rethink the payment methods they had in place up to now.

Until the beginning of 2020, cash was often the main means of payment in smaller retail shops (in Germany) with plenty of foot traffic. To survive weeks-long store closures and subsequent shopping restrictions, many retailers were obliged to offer their customers online and telephone ordering options.

To help contain the spread of Covid-19, customers also increasingly resorted to contactless payments. Card-issuing institutions quickly responded to this trend by raising the maximum contactless transaction limit – without authentication – to up to € 50.00.

This article is meant for small(er) to medium-sized retailers or companies.

Protecting your customers’ card data – what to do

The use of cards as a means of payment (ec cards, debit cards, credit cards) is on the rise. For you as a merchant, this may be new. And it gives you more responsibility than ever to ensure that this card data is well-protected. Since your core competence lies in selling products, you are bound to grapple with the question of what you – as a merchant – can do to best protect customer card data.

The Payment Card Industry Security Standards Council (PCI SSC) has recently shared eight tips for merchants aimed at boosting the safety of the card data they handle. These tips are listed below along with some brief comments that I have added.

As a Qualified Integrator and Reseller as per the PCI SSC, I would be happy to assist you with any questions you may have. The easiest and fastest way to reach me is through these communication channels.

But now let’s move on to the tips for safeguarding card data.

1. Card data must never be stored outside a secure technical environment

The best protection against data theft and fraudulent use of customer data is to avoid jotting down such data in any way. Not on slips of paper, not in e-mails, text processing programs or spreadsheets; not in your ordering system and not on the wall, etc.

In other words, card data should exclusively be located in your secure terminal or connection to your payment provider. Only there. And nowhere else. Ever.

2. Choose only strong passwords

This is one of the most basic protective measures to take. “Start” or “admin” are not good passwords, neither are “0000” or “1234”. Weak passwords are one of the main gateways to data misuse.

Please consider the following points to significantly boost security for your customers and their card data.

– Update passwords regularly (every 30-60 days)
– Do not use the same password for all your applications/systems
– Change any default passwords immediately after system installations
– Passwords should ideally

  • not be a word from the dictionary and should include
  • upper case letters
  • lower case letters
  • numbers
  • special characters

3. Be sure to keep your software up-to-date

Updating software is annoying. Indeed, it’s time-consuming, doesn’t always work (and thus takes even more time!), and doesn’t generate any additional revenues.

There is no denying this but…updates often fix newly-uncovered security vulnerabilities as well as address general software flaws. Neglecting to update software for long periods of time, especially when systems are involved that host sensitive customer data, is a bad idea.

Always install (or have installed) the latest updates to keep your software up-to-date. Updated software makes it more difficult to obtain fraudulent access to your – and ultimately your customers’ – data.

So-called“vulnerability scans” help identify vulnerabilities and security issues in your systems. A PCI-approved scanning vendor (ASV) can perform your vulnerability scans.

4. Use strong encryption

Encrypted data, including payment or card data, can only be read if a corresponding decryption key is available. Be sure to encrypt your data – especially if you regularly transfer data to and fro.

So what can you do to protect card data?

Ask the payment service provider that processes your card payments whether your terminal’s – or application’s – encryption is secured via Point-to-Point Encryption (P2PE), and whether this system is also PCI SSC-approved.

If you have a website – or are currently setting one up – please ensure that you have secure shopping cart encryption, in other words, that it currently supports least TLS version 1.2.

5. Use only secure remote access

Even as a retail trader, you may need to have remote access to your system and your data.

Once you allow access to your data from outside your local network, be sure to

  • restrict this to the greatest extent possible
  • disable remote access when it is not needed
  • regularly change the passwords for remote access
  • avoid assigning the same password to different users
  • activate so-called “multi-factor authentication”, in other words, authentication using more than just the password (and requiring an additional variable security code, for example).

6. Ensure your firewall is correctly configured and up-to-date

A firewall is the barrier between your network, your data, and the Internet. It blocks unwanted traffic and, more importantly, unauthorized access to your data.

Setting up a firewall in a way that makes it practically impenetrable is something you should leave to a network professional because of its complexity.

Nevertheless, even a basic firewall with just a few configuration settings is better than none at all.

7. Think before you click

There are numerous ways and techniques to start a phishing attack with the help of “normal” looking e-mails or social media messages.

Such attacks target data that is not publicly accessible, primarily payment transaction data, of course. This includes your customers’ card data, but also your log-in credentials for payment transaction providers or your bank, as well as user IDs and passwords in general.

Before clicking on links in e-mails or other messages, please take a moment to consider to following:

  • Do I know the sender?
  • Do I recognize the subject line (avoiding dangerous clickbait)
  • Does it concern me or my company?
  • Is the message poorly or inappropriately worded in respect to the content/sender?
  • Does the link you are to click on point to a strange URL?

8.  Choose trustworthy partners

There are many payment providers that offer their services. Most are (hopefully) honest business people. But how can you find out for sure?

Ask your payment service provider (PSP) the following question:

Are you PCI DSS-certified or do you operate in compliance with PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that companies handling and processing credit card information must adhere to. Depending on the applicable criteria, certification must be renewed either quarterly or annually,

Summary: Eight tips for protecting your customers’ card data

After browsing all the text above, let me recap the tips to help you safeguard your customers’ card data.

1. Do not leave card data outside a secure technical environment
2. Use robust passwords
3. Keep your software up-to-date
4. Use strong encryption
5. Use only secure remote access
6. Ensure your firewall is properly configured and up-to-date
7. Think before you click
8. Choose a trustworthy partner

The subject of data security and the eight tips outlined above may sound like a lot of work and expense. And I don’t want to refute that.

But keep in mind how this effort compares to the costs that would incur if customer and/or card data from your inventory were to be compromised. That puts everything into perspective!

The world of payment transactions and data security

…is not necessarily terribly exciting. Nevertheless, if you accept card payments you have no choice but to deal with this.

Do you have questions about the world of banking, payment transactions, card payments and data security?

Feel free to contact me.

Inaction is not an option.

Leave a Reply