Who keeps gold in a shoebox? In the backseat of their unlocked car?
You might be surprised to learn it happens all the time. In fact, someone somewhere is doing that right now. That someone could be your client.
Of course, we’re not talking about literal gold. But we are talking about something else that’s worth its proverbial weight in the stuff. That’s sensitive data.
By taking credit card payments, your clients are sitting on piles of it. As their trusted software provider, you can help them transform that shoebox into a vault and that unlocked car into a padlocked door, guarded by a professional security team. After all, not doing so could bring serious consequences for your clients, their customers and for you.
Protecting your business and your clients from cyberattacks is an ongoing challenge. But with the right tools and a team approach, you can prevent data breaches, comply with PCI standards, and help keep your company and your clients safe. Today we’re covering:
Data protection and data security are everyone's responsibility
Some of the largest data breaches in retail history involve stolen credit card data. In September of 2015, 56 million Home Depot customers’ credit card information was exposed by hackers. TJX — the owner of several retail brands, including TJ Maxx, Marshalls and HomeGoods — suffered a data breach that exposed 45.6 million credit and debit card numbers.
Those breaches represent big scores for hackers. But major organizations with huge transaction volumes aren’t the only ones at risk. According to CNBC, small businesses have become a favorite target for fraudsters, who commit 43% of online attacks on mom and pop shops. Ultimately, everyone is vulnerable to data security breaches. And everyone has a responsibility to minimize those vulnerabilities — including you and your clients.
PCI compliance is crucial for every business
In exchange for the ability to process payments, your clients have agreed to comply with established data security standards for the safe handling of sensitive cardholder data.
What is PCI DSS compliance?
Visa, Mastercard, American Express, Discover and JCB make up the Payment Card Industry (PCI) Security Standards Council. The Council formed in 2004 to protect the growing amount of credit card data that merchants and processors were handling, transferring and storing. Around the same time, the Council created the PCI Data Security Standards (PCI DSS).
PCI DSS is a set of benchmarks that show businesses how to reasonably care for and safeguard cardholder data. Any business or organization that accepts credit and debit cards has agreed to follow those security standards. And if your clients are consistently abiding by each of those standards, they are upholding that agreement by maintaining PCI compliance.
The key words here are “consistently” and “maintaining,” because complying with PCI security requirements isn’t a one-time task or project. It’s a state of being. Businesses must ensure the standards are woven into their day to day operations and culture. Just because the standards have been met once, doesn’t mean a vulnerability and subsequent breach couldn’t occur in the future. With 44 cyberthreats launched every second of every day, an ongoing commitment to security is crucial.
PCI SSF validation
A new set of security standards has been established by the Council in regard to the payment software used by merchants and provided by software vendors like you. Up until October 2022, these requirements were known as the Payment Application Data Security Standard (PA DSS). Now, a more sophisticated standard has been set — the Software Security Framework (SSF).
The SSF includes two new security requirements, the PCI Secure Software Standard (SSS) and the PCI Secure Software Lifecycle (Secure SLC) Standard. According to the Council, “the SSF provides vendors with security standards for developing and maintaining payment software so that it protects payment transactions and data, minimizes vulnerabilities, and defends against attacks. It includes a new methodology for validating software security and a separate secure software lifecycle qualification for vendors with robust security development practices.”
This set of standards is especially important for software vendors because you are the party responsible for the solutions provided and the validation required. As a software vendor, you can seek validation for the solutions you offer through an SSF Assessor, an independent security organization that has been qualified by the Council to validate a vendor's payment software and evaluate a vendor's software lifecycle.
By ensuring your solution is validated, you can help your clients rest assured that their fintech equipment meets the most current and stringent security standards.
Data breaches can cost your clients big
Many of your clients may think that PCI compliance and fending off hackers will eat too much time or money. But the consequences of not doing it are major, and could deal a fatal financial blow to a small business. CNBC reports that the average cyberattack costs small businesses $200,000. And that 60% of them close their doors within six months of being hacked.
Let's explore what life looks like for one of your clients after a breach. Common challenges include:
You may be wondering what that six-figure dollar amount includes. The costs to perform an investigation starts things off. When a merchant has been the victim of cybercrime, they are often responsible for facilitating a forensic investigation to see where things went wrong. While the results from these studies can be enlightening, they can be expensive to fund.
Once the investigation is over, various institutions will levy fines and penalties. For example, if a merchant has lost their customers’ credit card data and the card brands must issue new cards, the card brands will pass that cost on to your clients. Merchants may also face penalties for being noncompliant with PCI DSS.
The investigation may also yield suggestions on ways to improve data security, including adopting new technologies, processes, training programs and more. Although valuable, these recommendations can be expensive to implement and sometimes they’re even required in order to continue accepting credit card payments.
If a cardholder experiences identity theft or catastrophic financial consequences as a result of their information being hacked, they may file a lawsuit against the business that was charged to protect it. The PCI DSS Guide says that state and federal governments with laws around data security may become involved. The Guide also reports that the costs associated with any kind of legal action can make the penalties levied by banks and card brands seem minuscule in comparison.
Repeal of card acceptance privileges
Any merchant who experiences a data breach, doesn’t remit penalties or fines, and can’t show improved security measures over time may find themselves unable to accept credit cards.
The PCI Security Council has the authority to ban a merchant from being able to accept their cards as a method of payment. Considering that the majority of in-store or online purchases are made using credit or debit cards, a banned merchant could have a tough time operating profitably — or at all.
Loss of consumer trust
When you think about it, the bond between a customer and merchant is one that’s built on confidence. Without a second thought, customers hand over access and control over some of their most valuable data, trusting businesses to use it honestly and keep it safe. Card numbers, names, addresses, birthdays and more. If your clients experience a breach, their customers are naturally going to think twice about doing business with them again.
How to help prevent a data breach for your clients
There are a number of ways you can help protect your clients and keep their customers’ data safe. Firstly, you can impart your knowledge of security standards — many small business owners are overwhelmed when trying to spearhead the prevention of security breaches on their own. Thanks to your expertise as a trusted software provider, your clients should be able to turn to you for guidance.
Below we’ve put together a few important steps your clients can take to protect themselves. You can do your part by passing along this information and encouraging each merchant to stay compliant with current PCI standards.
Data security tools and tips for merchants
Let’s cover some of the key steps your clients should take on their journey to PCI compliance and protecting their goldmine of customer data:
Use antivirus software
Most people probably have some version of antivirus software on their computer right now. But just like PCI compliance, it isn’t something to just set and forget. Though the program itself usually sends a notification when it’s time to update, it doesn’t hurt to send reminders to your clients about the importance of these updates. Stress to them that, even if the update interrupts their work, it’s worth it.
You can also encourage your clients to run an antivirus scan at least once a week, as well as anytime they encounter suspicious activity. Here’s a handy list you can forward along — according to the Federal Trade Commission, a system may have been hacked if any computer on the network:
- suddenly slows down, crashes, or displays repeated error messages
- won’t shut down or restart
- won’t let you remove software
- serves up lots of pop-ups, inappropriate ads, or ads that interfere with page content
- shows ads in places you typically wouldn’t see them, like government websites
- shows new and unexpected toolbars or icons in your browser or on your desktop
- uses a new default search engine, or displays new tabs or websites you didn’t open
- keeps changing your computer’s internet home page
- sends emails you didn’t write
- runs out of battery life more quickly than it should
Invest in a firewall
Not only is it wise for businesses to invest in a firewall, it’s actually mandated by the PCI DSS. Under the first provision, among other requirements, merchants must:
Build firewall and router configurations that restrict all traffic, inbound and outbound, from ‘untrusted’ networks (including wireless) and hosts, and specifically deny all other traffic except for protocols necessary for the cardholder data environment
Prohibit direct public access between the Internet and any system component in the cardholder data environment.
So what type of firewall will help your clients protect their business? Probably not the one they’re using.
Typically, home computer users rely on a software firewall for protection. While that’s a perfectly safe solution for one personal device, most experts agree that a software firewall isn’t robust enough to protect entire networks. That’s why they recommend small businesses invest in a hardware firewall to block attacks against multiple computers.
Let’s not forget the biggest target for hackers — people. More specifically, your clients’ employees. Each member of your client’s organization should be told the importance of preventing a breach. As their software vendor, you can help by encouraging them to adopt the following security practices.
Spot and report phishing: Earlier we mentioned that most ransomware infects a network through successful phishing tactics. Hackers use official-looking emails, texts and websites to pressure recipients into sharing sensitive information quickly. Most phishing emails will have subtle red flags, including spelling mistakes and email addresses that don’t match the sender’s domain.
Employees should refrain from clicking on, saving or sending a message they think might be a phishing attack. Next, they should report it immediately instead of attempting to investigate it themselves. At that point, your client can take steps to verify it and protect their network.
Create strong passwords: It’s definitely easy to remember “1234." Unfortunately, overly simplistic passwords are also easy for hackers to guess.
Employees should create something secure, but memorable, so they don’t have to write it down or save it in an Excel sheet. Numbers, special characters, and both uppercase and lowercase letters should be included.
Keep passwords secure: Creating strong passwords doesn’t go very far toward security if anyone can easily see or access them. Staff must refrain from sharing their passwords with others and try to keep them in a secure place where access is limited and monitored.
Your clients may also want to consider a password manager program that generates strong passwords and stores them in an encrypted file. To go a step further, they can implement multi-factor authentication for an added layer of security.
Report suspicious activity as soon as possible: We’ve already mentioned this, but it bears repeating. The damage caused by viruses and malware is directly proportionate to the amount of time they are allowed to run. If an employee of your client encounters any suspicious activity, they must report it immediately.
A lot of team members may feel compelled to help by researching or attempting to troubleshoot issues themselves. Make sure they know that the best way for them to defend against hackers is to stop working on their computer and raise the alert.
Data security for fintech providers
Now that we’ve covered the ways that your clients can help protect their customers’ data from a breach, let’s dive into how you can do your part as their software provider.
Encryption essentially turns sensitive credit card data into an unreadable, nonsensical value. It’s impossible for anyone to read, without the decryption key shared between the involved financial institutions and payment processor. When credit card numbers appear as random gibberish, they’re worthless to the average hacker and significantly less valuable to even the most sophisticated crime rings. It’s important that you employ end-to-end encryption so that all payment data is hidden and secure throughout the authorization process.
It’s also vital that you implement tokenization, particularly if your clients process card on file payments necessary for subscriptions or memberships. In this process, sensitive data is replaced with “tokens,” which take the credit card information out of the equation, keeping it hidden from thieves.
These data security measures — along with the solutions we’ve mentioned throughout this blog — work like a powerful security team for your clients and their customers.
How Global Payments Integrated approaches security
Data security has evolved rapidly over the past few decades in order to keep pace with modern criminals. Here at Global Payments Integrated, we’ve helped millions of small businesses protect themselves with the security solutions and support they need to thrive.
With our secure payment processing solutions, it’s easy for your clients to maintain PCI compliance and mitigate risk of a data breach. Our payment processing helps keep data secure with encryption and tokenization, and our reporting capabilities make it easy to monitor transactions and spot suspicious entries. Plus, your clients can count on ‘round-the-clock assistance from our US-based agents.
In this modern age, every business is sitting on a goldmine of data and facing multiple security challenges. Hackers will stop at nothing to break in and gain access. But with new threats come new defensive tools that make it easier than you might think to confidently protect your clients and their customers from the devastation of a data breach. If you’re ready to enhance your software with secure payment processing from an integrated payments partner you can trust, contact us today.