Now more than ever, your business must accept payments whenever and however your customer wants to pay. In their well-intentioned efforts to help your customers make payments, employees might be putting you and your business at risk, including your PCI compliance. How? Let’s look at two examples: A staff member takes a phone order and uses a tablet that they use for everyday notes to write down the payment information. Or an employee has a customer who wants to make a phone payment and the call is recorded.
Writing down credit card or debit card information on paper creates a physical record that is susceptible to theft or misplacement. If this information falls into the wrong hands, it could lead to a data breach, exposing your customers’ financial data to unauthorized individuals.
Not only should you never write down credit card data on paper, but you should also not store credit card data onsite. Ever. Not on a computer, not in the customer’s paper file, anywhere in your office. Period.
An Often Overlooked Vulnerability
Today, many businesses record their customer conversations. When these calls include payments, they can contain sensitive data, including:
– Credit card numbers
– Personally identifiable information (PII)
-
- Name
- Social Security number
- Date and place of birth
- Mother’s maiden name
- Biometric data
- Email address
- Telephone number
- IP address
- Geographical details
- Employment information
Security Best Practices and Encryption
To safeguard sensitive information in audio files, security best practices and strong encryption help to mitigate these risks. Best practices include:
– Password protection: Restrict access to authorized personnel only
– File encryption: Securing the content of the recordings against unauthorized access or interception
Speech-to-Text Considerations
If your business uses speech-to-text conversion software, additional precautions are necessary:
– Convert speech data to encrypted text as quickly as possible
– Ensure the original audio and any converted text files are stored in encrypted formats
Legal Requirements
Businesses that handle customer credit card information are legally required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard sets forth specific guidelines on how organizations should secure and protect sensitive cardholder data to prevent unauthorized access and potential data breaches. Adhering to PCI DSS requirements helps to ensure that customer credit card information is stored securely and that the risk of fraudulent activities is minimized.
Businesses can face lawsuits and financial penalties when sensitive data is exposed. Not to mention the risk to your PCI compliance (and your ability to accept credit cards) by violating PCI DSS standards.
Below, we list some common sense dos and don’ts you can use today to safeguard your operations.
To Reduce and Eliminate Risk and Safeguard Credit Card Data and your PCI Compliance:
Never
- Physically write down any credit card information
- Use an imprint machine to process credit card payments
- Leave sensitive information unattended on a desk or in any public area
- Copy the front and back of a credit card
- Store physical credit card information onsite or in places like Google Drive, Dropbox, etc.
Always
- Closely supervise all staff and visitors to the area where credit card information could be available.
- Collect only the information you need to complete the transaction
- Write down the customers phone number
- Use a fully-hosted virtual terminal that encrypts card data upon entry and transmission to record credit card information given over the phone.
- Have strict credit card handling policies in writing
- Hold regular credit card handling training with your staff
- Rely on a reputable payment processor with a PCI DSS Level 1 certified network
- Get customer permission before storing any card data
Use Virtual Terminals
For simplicity, we’ll look at virtual terminals. Think of a virtual terminal as an online checkout form you can use in your store or office. Virtual terminals are web-based and allow your staff to accept payments by telephone, mail order, fax, email, or in-person. You can have as many virtual terminals as you need. IntelliPay’s One Terminal is a good example of a virtual terminal.
Virtual terminals do not require new software or hardware. Existing desktop, laptop, tablet, smartphone, or POS system can host a virtual terminal. An in-person transaction would require the installation of an external card reader. Transactions on virtual terminals are made on payment processor secure systems that use tokenization and end-to-end encryption to protect sensitive data during transmission.
For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.
The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. A virtual terminal frees you from storing sensitive data in your system and minimizes PCI scope and liability.
Tokenization and End-to-End Encryption
Transactions on virtual terminals are made on payment processor secure systems, not your systems, that use tokenization and end-to-end encryption to protect sensitive data during transmission. For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.
The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. Using a virtual terminal frees you from storing sensitive data in your system and minimizing PCI scope and liability
Simple to Install, Customizable Solutions
Web-based virtual terminals are easy to install and use and offer comprehensive reporting features, simplifying payment management, especially formerly time-consuming reconciliations.
Intelligent payment processing platforms like IntelliPay make it easy to get started with virtual terminals. They offer a virtual terminal solution for every need; all are customizable and easy to install. Customization and set-up are free, and many virtual terminals options are configured within a single business day.
About IntelliPay
IntelliPay has provided traditional (processing costs are absorbed as a cost of doing business) and cardholder-pays the swipe or interchange fee-based options to businesses of all sizes since 2011. To learn more about your virtual terminal options, contact Phillip Buck at phillip.buck@intellipay.com.