Top 5 Questions To Ask before Allowing Firms to Process Credit Cards
Target. Home Depot. Jimmy John’s. Staples. UPS. Michaels. P.F. Chang’s.
What do these businesses, ranging across a variety of industries, all have in common?
It’s not increased earnings. Each of these companies made headlines for their struggles with data breaches that exposed customer’s personal information, including credit card numbers, Social Security numbers and more.
In our industry, it hit even closer to home with parking firms SP+ and Datapark getting hacked and exposed. No matter what your line of business, and whether you’re a business owner or customer, these aren’t the headlines you want to read.
The scary thing is that many of these institutions had credit card information stolen despite having to undergo the industry standard Payment Card Industry Data Security Standard (PCI-DSS) Level 1 compliance process. These recent security failures suggest that certification in isolation is not enough to prevent a cyber attack.
Certainly, having an independent body to set and govern the standards that protect credit card security is valuable, worthwhile and a step in the right direction. However, having gone through the process from both sides (as a former auditor and with Passport obtaining compliance), I am concerned that this certification is marketed as protecting consumer credit card information and preventing fraud. The PCI standard is a good framework to follow, but relying on quarterly or annual audits and testing as the only security measures won’t cut it these days. That is the bare minimum. You need to get comfort that the firms have an on-going process in place if you want to avoid the bad press and red tape so many other companies have experienced.
Think Like a Criminal
At Passport, we not only go through the process of PCI-DSS Level 1 compliance, but we also work with ethical hackers to help us think like criminals and try to break into our systems. We like to call this “PCI Plus,” since we are going above and beyond to protect the core of our company. This is part of safely and securely doing business today, and gives our team and our customers the peace of mind they need when handling credit card information.
Companies absolutely have to make security a part of their everyday operations and continue to monitor for the latest malware and other malicious activity.
Following are five key questions to ask before engaging with an outfit that processes credit cards:
1.) Will my data be encrypted from end-to-end?
Understanding the flow of the credit card data from the moment a card is swiped or entered to the time it hits the bank will give you an idea of the potential exposure points in the process. Ask your vendor to provide you with detailed diagrams explaining the data flow and how the data is transferred. If they can’t answer this question, move on in your search.
2.) Does your firm have a dedicated security professional?
If the answer is “yes,” this will help you assess the risk profile for the firm and give you greater confidence in their security and monitoring systems. Additionally, ask how many people in the firm have access to the environment where the credit cards are stored.
3.) Will your company share its latest Report on Compliance?
Firms can receive PCI compliance but still have vulnerabilities exposed. You should find out what the firm did to remediate any findings and what they are doing to ensure that they have eliminated the risk.
4.) Where is your data stored?
Location, location, location! Knowing if they use company-hosted servers or a cloud computing service like Amazon Web Services is crucial to understanding the overall process and data exchanges. This is especially important if dealing with an international component when information may cross borders and making sure regulations are followed.
5.) What QSA (Quality Security Assessor) conducted the PCI Compliance Audit?
Determine how many audits the company performs in a given year, review if they have qualified personnel to conduct the audits and if any of the firms they audit been breached. Again, this information will help you make a better decision when it comes to sharing your information.
Companies today can offer incredible services, products and programs, but if they are processing or storing your credit card data then it only makes sense to ensure the company has the proper foundation to handle your credit cards. The answers to these five questions can reveal either potential gaps in the system or a solid company to work and share your business with.
When you make the news for all the right reasons, it can bolster sales and customer loyalty. On the other hand, when your headlines focus on a recent security breach, it can erode customer trust and business for days, weeks, months and even years to come.