Every month it seems like there is a new report of personal information like credit card numbers being released onto the web. Companies that improperly store credit card information from their customers put millions of people at risk, forcing users to close cards and request new ones. Most consumers are becoming more aware of the risks of giving their credit card number online or over the phone.
It’s vital that your business is compliant with Payment Card Industry Data Security Standards (PCI/DSS). If you improperly collect or store customer data, you could be putting the future of your company at risk.
Understanding PCI/DSS
The security of cardholder data is key to building and preserving customer trust. It’s also a legal obligation.
Who must comply?
All entities that store, process or transmit cardholder data must maintain payment security. This applies whether you are a small sole proprietorship or an enterprise company: If you take credit cards or other electronic payments, you must comply with PCI/DSS.
What are the standards?
Guidance for maintaining payment security includes the following steps:
- Building and maintaining a secure network with a firewall configuration capable of protecting cardholder data.
- Never using default passwords, and maintaining a protocol for frequent password changes company-wide.
- Protecting stored cardholder data (tip: use solutions that eliminate data storage altogether).
- Encrypt transmission of cardholder data (tip: use tokenization to eliminate transmission of actual credit card numbers).
- Install and regularly update anti-virus software or programs to protect your back office (and require work at home staff to comply as well).
- Restrict access to cardholder data by applying strict permissions across your organization and using tokenization to eliminate physical access.
- Test your security systems and process regularly, and maintain an employee and contractor policy for information security.
COVID-19 and a distributed workforce
With millions of people now working remotely, and back office workers not likely to return to corporate offices anytime soon, companies are finding new weak links in the chain of payment processing. While corporate networks aren’t foolproof, they still provide more protection than the average remote worker’s connection to the internet.
When sales and customer service staff work from their own homes, the risks of compromised customer data skyrocket. If your sales staff or post-sales support teams are asking for credit card information or verifying information your company could be at risk.
Intercepting data
Keyboard loggers can recognize and copy credit card numbers when they are typed in by a representative. Most home workers don’t have the level of security provided by a corporate office, and even corporate-level of security can still have vulnerabilities.
Numbers given over the phone can be recorded and stolen. The phone, the network or even devices in a worker’s home (like Alexa) could be hacked — there are even reports of Roombas being turned into listening devices and used to steal credit card numbers.
Even information that is “encrypted” can be intercepted as it travels across a network, and decrypted by packet sniffers. Sniffers can steal credit card numbers and customer information that has been typed and transmitted, or decode conversations sent over the internet on VoIP phone systems.
How do you make customers feel confident that their credit card information is safe, and more importantly, how do you help ensure that the information actually IS safe?
Protecting customer data, simplified
The best approach is to not store customer credit card information at all, and to institute ways of collecting information that keeps the risk on the consumer’s side and away from your corporate office. Credit Card Advantage with PayLink and WalletLink allows you to accept electronic payments from customers without ever actually receiving their actual credit card number.
When you use PayLink or WalletLink, your customer is presented with the ability to enter their credit card number on their own computer. A single-use “token” is generated which is sent to your back office when the payment is submitted. This eliminates the weakest link in most online payment system chains, by ensuring that you never have the customer’s actual credit card number at all. You can even customize your system to choose when preauthorization or payment takes place.
Our payment processor is Mastercard and VISA certified, and the PayLink/WalletLink options can be used by your distributed workforce. There’s no more worrying about the safety of a customer’s credit card number, because you never access or store it. Tokenization lets you eliminate the weakest link in the payment chain by never exposing your back-office to the responsibility of protecting the number in the first place.
To learn more about how SK Global Software’s Credit Card Advantage can help reduce vulnerability in your payment system, contact us for a demo today.