Best practices for merchants to ensure secure card payments

Introduction

The UK has the highest card fraud capital in Europe, so it’s crucial now more than ever that businesses of any size that accept card payments can ensure the secure card payments for both their business and customers. This will not only protect your business from fraudulent transactions and chargebacks but also build trust and loyalty with your customers and build the reputation of your business.

In this blog, we’ll give you a brief reminder of PCI compliance which every business needs to follow and cover the best security measures and practices that your business can implement when taking card payments over the phone, online, and when taking face-to-face payments in store.

By following these methods, you will be able to create a safe payment environment for your customers and protect their sensitive data whilst also providing them with a safe and seamless payment experience.

PCI Compliance

PCI compliance is a set of security standards established by the Payment Card Industry Data Security Standards Council (PCI SSC) to protect sensitive customer data during credit and debit card transactions. The security standards set out by the PCI SSC are mandatory for all merchants who accept card payments and apply to all aspects of card payment processing, from the software and hardware used to process transactions to the physical security of the premises where payments are accepted.

There are 12 main requirements in the PCI DSS:

·      Install and maintain a secure network infrastructure.

·      Protect cardholder data by encrypting it when stored or transmitted.

·      Maintain vulnerability management programs to regularly identify and address security risks.

·      Implement strong access control measures to limit access to cardholder data.

·      Regularly monitor and test networks and systems to ensure their security.

·      Maintain information security policies that address the protection of cardholder data.

·      Restrict access to cardholder data on a need-to-know basis.

·      Assign a unique ID to each person with computer access.

·      Restrict physical access to cardholder data.

·      Monitor and track all access to network resources and cardholder data.

·      Regularly test security systems and processes.

·      Maintain a comprehensive information security policy.

These requirements include specific guidelines for areas such as encryption, password policies, network segmentation, and incident response planning. Failure to comply with PCI standards can result in penalties, fines, and reputational damage. By meeting these requirements, businesses can help to protect sensitive payment card information and protect against data breaches.

Taking Card Payments Online

With the rise of e-commerce and online transactions, cybercriminals are increasingly targeting merchants that process online payments. If your payment processing system is not secure, it can put your customer’s sensitive information at risk of being compromised. This can include credit card numbers, personal information, and other sensitive data.

The consequences of a security breach can have severe consequences including but are not limited to financial loss, damage to your business’s reputation, and legal liability. Customers who have had their data stolen may lose trust in your business and therefore may be hesitant to make future purchases from you.

Therefore, it is crucial that merchants not only recognise how fraudsters operate when it comes to online payments but also that you take all the necessary measures to ensure that your payment processing systems are secure and that your customer’s information is protected. This will not only protect your customers but will also help you to maintain your reputation and credibility in the marketplace.

Understanding how Fraudsters may Attack your Business Online

Before we go into the security measures your business needs to undertake to combat any fraudulent card activities against your company online, it’s important to understand the tactics that fraudsters may use to defraud businesses.

One common method is chargeback fraud, where fraudsters make a legitimate purchase using a stolen credit card, but then file a false chargeback claim, claiming that the transaction was fraudulent or unauthorised. Another tactic is to use stolen credit card information to make large purchases, and then disappear before the business can fulfil the order, resulting in a loss for the merchant.

Fraudsters may also use sophisticated hacking techniques to gain unauthorised access to a merchant’s payment processing system or website, allowing them to steal sensitive data and exploit vulnerabilities in the system.

How to be Secure when Taking Card Payments Online

To ensure security when taking card payments online, merchants should implement the following security measures:

Use SSL/TLS encryption: Secure Sockets Layer (SSL) and Transport Layer Security (TSL) encryption are protocols that protect online transactions. Using SSL/TLS encryption ensures that the information exchanged between your website and the customer’s browser is encrypted and secure.

Use a tokenisation system: Tokenisation replaces sensitive data, such as credit card numbers, with a unique identifier or token. This way, Card data is not stored on your server or database, reducing the risk of a data breach.

Use 3D Secure: 3D secure is an additional layer of security that requires the cardholder to enter a one-time password, or a unique code sent to their phone to authenticate the payment. Using 3D Secure reduces the risk of fraudulent transactions.

Use multi-factor authentication: Multi-factor authentication adds an extra layer of security to online transactions. It requires users to provide two or more forms of identification, such as a password and a fingerprint or a one-time code sent to a mobile phone, before accessing the payment portal.

Implement PCI-compliant software: PCI-compliant software includes shopping carts and payment processing software that meets the PCI Security Standards Council’s security standards. These software applications are designed to protect card data during card transactions and prevent data breaches.

Ensure your website is up to date: Keeping your website up to date with the latest security patches and software updates is essential to protect against vulnerabilities and security breaches.

Use fraud detection tools: Fraud detection software analyses online transactions to detect fraudulent activity. It can help identify suspicious behaviour and prevent fraudulent transactions.

Taking card payments over the phone

When merchants take card payments over the phone, security is of the utmost importance. Unlike online transactions, card payments over the phone require the customer to verbally provide their card details, increasing the risk of fraud and data breaches.

To maintain the security of card payments over the phone, merchants should ensure that they have the proper policies in place to safeguard sensitive customer data.

But first, we’ll briefly cover how fraudsters may operate when making card payments over the phone.

Understanding how Fraudsters may Attack your Business Over the Phone

When fraudsters attempt to make card payments over the phone to merchants, there are several tactics that they may use.

They may pose as a genuine customer and attempt to deceive the merchant into processing a fraudulent transaction. An example of this would be providing incorrect or incomplete card details or claiming that their card is not working and then asking the merchant to process the payment manually. Fraudsters may also use technology such as call spoofing to mask their identity and make it appear as if they are calling from a legitimate number.

How to be Secure when Taking Card Payments Over the Phone

Here are some of the best ways to avoid being affected by fraudulent card activities over the phone and make sure that you’re being secure as a merchant:

Use a secure payment gateway: A payment gateway is software that authorises payments for online and offline businesses. A secure payment gateway is essential when taking card payments over the phone. It ensures that sensitive customer data, such as credit card numbers and expiration dates are encrypted and secure during transmission.

Use a virtual terminal: A virtual terminal is a web-based application that allows you to process credit card payments from anywhere with an internet connection. Using a virtual terminal ensures that card data is not stored on your computer or phone, reducing the risk of a data breach.

Use PCI-compliant hardware: PCI-compliant hardware includes card readers and point-of-sale (POS) devices that meet the PCI Security Standards Council’s security standards. These devices are designed to protect card data during transactions and prevent data breaches.

Never store card data: As a merchant, it’s crucial never to store card data, especially in plain text. You should avoid writing down card information or storing it on your computer or phone.

Verify customer information: Always use strong customer authentication methods, such as the cardholder’s name, card number, and expiration data before processing the payment. This helps to prevent fraudulent transactions.

Train your staff: Train your staff to follow best practices for phone payments, such as not writing down card details and verifying customer information before processing payments.

Conduct regular security audits: Regularly audit your payment processes to ensure that you’re following the latest security protocols and that there are no vulnerabilities in your system.

By using these methods, you can ensure that you’re secure as a merchant when taking card payments over the phone.

Taking card payments on-premises

The final area where we’ll discuss the security of card payments is when you’re taking payments on a physical business premise. Again, the methods of being secure will differ slightly here when compared to taking online card payments and card payments over the phone as it’s likely the focus will be on using physical hardware. For a final time, we’ll briefly cover how fraudsters may operate when making card payments in-store before going through the different methods you can use to make sure your business doesn’t fall victim to fraudulent card usage.

Understanding how Fraudsters may Attack your Business in Store

As with online payments and payments over the phone, there are a few different tactics that fraudsters may employ.

Fraudsters may attempt to make card payments in-store using stolen or fake credit card details. They may also try to force a chip and pin transaction to go through without proper authorisation.

They may also try to use social engineering tactics to gain access to customer data. This might include distracting the cashier or using a skimming device to steal card information.

How to be Secure when Taking Card Payments in Store

Use a secure payment terminal: Ensure that you are using a card machine that is certified as secure by a reputable security organisation such as PCI DSS (Payment Card Industry Data Security Standard).

Keep your payment terminal up to date: Regularly update your payment terminal’s software to ensure that it has the latest security patches and features to protect against fraud.

Ensure that your payment terminal is tamper-proof: Use payment terminals that have tamper-evident features, such as seal stickers or screws, to prevent unauthorised access to the terminal’s internal components.

Train your staff on payment security: Train your staff to be vigilant when accepting card payments and to watch out for suspicious behaviour such as card skimming or card swapping.

Follow proper card handling procedures: Follow proper procedures when handling cards, such as checking the card’s security features, verifying the cardholder’s signature, and ensuring that the card has not expired.

Use point-to-point encryption (P2PE): Use P2PE to encrypt cardholder data at the point of entry, reducing the risk of data theft during transmission.

By using these methods, you’ll ensure that your business is less likely to fall victim to fraudulent card activity which will protect your customers and business in the process.

Conclusion

In conclusion, there are many steps businesses must take to ensure that the card payments they take online, over the phone and in-store are secure for both the customer and the business. Whilst it may seem like there is a lot of work to undertake if you do not already have many of these security practices in place, it’s certainly worthwhile in the long run to ensure the safety of your business against legal issues and loss of funds.

At Unyfi we recommend implementing as many of the security measures we have discussed throughout as possible for your business where relevant, and ensuring there are processes in place to make sure that your security measures are regularly reviewed.

If you are still unsure about how to implement these safety options in your business, or which payment services offer some of the security measures we’ve discussed in this blog, one of our specialists can take you through the options available to you to meet your business needs.