8 Security Tips for Small Businesses Accepting Online Payments in 2017
When customers make a purchase from your online storefront can they trust you to protect their credit card information? If not, why would they continue to support your business? That’s why ensuring that your customers’ payment data should always be a priority. When customers trust you, it will ultimately benefit your bottom line.
For small business owners, that may seem overwhelming and complicated, but it’s actually easier than you may think by following these 8 security tips when accepting online payments.
1. Be compliant with PCI-DSS.
PCI-DSS is a collection of compliance regulations that are mandated by the Payment Card Industry Security Standards Council. If you accept, process, store, or transmit credit card data then these regulations apply to you in order to ensure that your customers' payment information is kept safe and secure.
One of the biggest headaches that PCI-DSS gives business owners is that they can be complex - especially if you don’t have IT specialists on-hand. At the very least, being compliant with PCI-DSS means you must undergo an on-site data security assessment annually, such as using of SSL authentication on your website and Secure Sockets Layer (SSL).
To find out if you comply with these regulations, I would take the Self-Assessment Questionnaire (SAQ).
2. Don’t store customer payment data.
There are strict standards in place regarding the customer’s data that you store, like not storing CVV data. And, that’s because 95% of credit card breaches come from small businesses. The easiest way around this is to dispose of any payment information once a transaction is complete. If you do need to store information, such as a customer's name and account number then take measures to protect this information like using a private network or cloud-based storage or encrypting the data so that intruders can’t read it.
Also, under the Fair and Accurate Credit Transaction Act of 2003 (FACTA) you’re not allowed to include the full credit card number and expiration date of your customer’s credit card when emailing them a receipt. You’re only permitted to display the last five digits.
3. Choose a secure eCommerce platform and processor.
Despite the regulations that have been put in place, not all eCommerce platforms and processors take security as serious as others. When looking for an eCommerce platform or processor, choose trusted and reputable companies that have good reviews and are transparent about their security that they have in-place. The Better Business Bureau and Consumer Affairs are great places to research companies before you start working with them.
4. Educate yourself and your employees.
A majority of data breaches are due to human error. Even if you comply with regulations and have top-of-the-line security systems in-place, you’re still putting your customers information in jeopardy if you and your employees aren’t trained in basic security measures.
You can start by Informing them about the latest security risks and threats. Most importantly, however, everyone should verify transactions and realize the dangers of clicking on unsolicited e-mail attachments, sharing sensitive information with unauthorized individuals, and never leaving work-related USB drives or devices unattended.
5. Verify the transaction.
Speaking of verifying transactions, there are several ways that you can do this - even when a customer’s card isn’t present. This includes;
- Always making sure that there’s an address verification (AVS) match.
- Requiring customers to enter their card security code, aka that 3 or 4 digit CVV number on the back of their cards.
- Being suspicious of patterns that are of the norm, such as an exceptionally large order from returning customers. If so, call the customer immediately.
- Reviewing smaller details like strange email addresses, products being shipping to areas known for instances of fraud, and the customer not taking advantage of deals like free shipping.
- Considering accepting eChecks. Payments from bank accounts have to be verified through the ACH network.
6. Keep your IT environment protected your IT.
Even if you taken security precautions like having a SSL Certificate on your website and properly trained your employees, you’re still not completely out of the clear. Everything from your web host to web server can get be comprised. Having a firewall solution can help decrease these threat, but you should also consider setting up an intrusion-detection systems/intrusion-prevention systems (IDS/IPS). This will monitor and block any malicious traffic.
7. Update all of your systems.
It’s no secret that outdated systems are more prone to cyber-attacks. Whether if it’s WordPress, Shopify, your server’s c-panel, SQL, PHP, or your antivirus software, you need to make sure that when there’s a new update it’s downloaded immediately. Typically these updates occur automatically, but it’s always best to err on the side of caution by making sure that you’re running the latest version of any software that you use for your business.
8. Use encryption and tokenization.
These are two of the most popular words in security. Despite being often lumped together, there are differences between the two. According to Adrian Lane, data analyst and CTO for Securosis, the main difference between tokenization and encryption is how they handle the data that they’re attempting to replace. Tokenization will remove data from a system and replace it with an associated value. Encryption is an “obfuscation”? or “scrambling”? tool.This means that the original information if left intact, but makes it inaccessible without a proper key.
“With tokenization, you’re not worried about someone coming along and having or breaking or being able to reverse engineer the system in the future, and you’re not worried about admin keys being compromised and gaining access to the original data,” says Lane.
When storing any sort of data, make sure that it’s encrypted. You may also want start accepting payments via digital wallets, which encrypts data, or cryptocurrencies like bitcoin which uses tokens instead of a credit number or bank account.