For Retailers
Nothing is more important to a business than its customers. It’s a relationship that relies on trust, which is difficult to earn and easy to lose. New gains in technology can allow hackers to steal data from anywhere in the world. Protecting your business and customer information is more critical than ever.
If your business accepts payment cards, it is important to have security steps in place to ensure your customers’ information is safe. Your bank or payment services processor can help you prevent fraud. In addition there are free resources and general security tips available to learn how to keep sensitive information—beyond payment information—safe.
Below are some quick tips to help get you started and links to more resources.
-
Know the who, what, where of your sensitive customer data
- Make a list of the type of customer and card information you collect and keep—names, addresses, identification information, payment card numbers, bank account details and Social Insurance Numbers. It’s not only card numbers criminals want; they’re looking for all types of personal information, especially if it helps them commit identity fraud.
- Ask yourself, where do you keep this information and how is it protected?
- Determine who has access to this data and if they need to have access.
-
If you don’t need it, don’t keep it
- Once you know what information you collect and store, evaluate whether you really need to keep it. Often businesses may not realize they’re keeping unnecessary data until they conduct an audit. Not keeping sensitive data in storage makes it harder for criminals to steal it.
- If you’ve been using card numbers for purposes other than payment transactions, such as a customer loyalty program, ask your merchant processor if you can use alternative data instead.
- For example, tokenization is technology that masks card numbers and replaces it with an alternate number that can’t be used for fraud.
-
When you choose tools or services, make sure they’re secure
- The payments industry (www.pcisecuritystandards.org) maintains lists of hardware, software and some service providers who have been validated against industry security requirements.
- Visa also maintains a list of service providers and processors who have been validated compliant with security requirements.
- Small businesses that use integrated payment systems–where the card terminal is connected to a larger computer system—can check the list of validated payment applications (www.pcisecuritystandards.org) to make sure any software they employ has been tested.
- Have a conversation about security with your provider if the products or services you are currently using are not on the lists.
-
Control access to payment systems
- If you use a more complicated payment system than the simple stand-alone terminal, make sure you carefully control access.
- Isolate payment systems from other, less secure programs, especially those connected to the Internet. For example, don’t use the same computer to process payments and surf the Internet.
- Control or limit access to payment systems to only employees who need access.
- Make sure you use a secure system for remote access or eliminate remote access if you don’t need it so that criminals cannot infiltrate your system from the Internet.
-
Take advantage of security tools and resources
Work with your bank or processor and ask about the anti-fraud measures, tools and services you can use to ensure criminals cannot use stolen card information at your business.
For e-commerce retailers:
- The CVV2 code is the three digit number on the signature panel that can help verify that the customer has physical possession of the card and not just the account number.
- Retailers can also use Address Verification Service to ensure the cardholder has provided the correct billing address associated with the account.
- Services such as Verified by Visa prompt the cardholder to enter a personal password confirming their identity and act as an extra layer of protection.
For brick and mortar retailers:
- If the customer has a chip card, ask them to insert the chip card into the terminal and enter their PIN to authorize the transaction.
- If the customer has a card with a magnetic stripe and no chip, swipe the card and get an electronic authorization for the transaction, and check that the signature matches the card.
- Ensure your payment terminal is secure and safe from tampering.
-
Always remember the security basics
- Use strong, unique passwords and change them frequently.
- Use up-to-date firewall and anti-virus technologies.
- Do not click on suspicious links you may receive by email or encounter online.
- Protect yourself from scams outside of your business as well with tips for Preventing Fraud.
-
Get help
You don’t have to tackle security on your own. Work with your bank or processor to make sure you’re getting the support and expertise you need.
Visa provides resources for its Account Information Security (AIS) Program at www.visa.ca/ais. There is also information about industry security standards at www.pcisecuritystandards.org.