Now more than ever, your business must accept payments whenever your customer wants to pay. In their well-intentioned efforts to help your customers make payments, employees might be putting you and your business at risk, including your PCI compliance. How? Let’s look at two examples: A staff member takes a phone order and uses a tablet that they use for everyday notes to write down the payment information. Or someone in accounting has a customer who wants to make a phone payment and writes down the credit card number on a scrap of paper on their desk.
Writing down credit card or debit card information on paper creates a physical record that is susceptible to theft or misplacement. If this information falls into the wrong hands, it could lead to a data breach, exposing your customers’ financial data to unauthorized individuals.
Not only should you never write down credit card data on paper, but you should also not store credit card data onsite. Ever. Not on a computer, not in the customer’s paper file, anywhere in your office. Period.
Businesses can face lawsuits and financial penalties when sensitive data is exposed. Not to mention the risk to your PCI compliance (and your ability to accept credit cards) by violating PCI DSS standards.
Below, we list some common sense dos and don’ts you can use today to safeguard your operations.
To Reduce and Eliminate Risk and Safeguard Credit Card Data and your PCI Compliance:
Never
- Physically write down any credit card information
- Use an imprint machine to process credit card payments
- Leave sensitive information unattended on a desk or in any public area
- Copy the front and back of a credit card
- Store physical credit card information onsite or in places like Google Drive, Dropbox, etc.
Always
- Closely supervise all staff and visitors to the area where credit card information could be available.
- Collect only the information you need to complete the transaction
- Write down the customers phone number
- Use a fully-hosted virtual terminal that encrypts card data upon entry and transmission to record credit card information given over the phone.
- Have strict credit card handling policies in writing
- Hold regular credit card handling training with your staff
Use Virtual Terminals
For simplicity, we’ll look at virtual terminals. Think of a virtual terminal as an online checkout form you can use in your store or office. Virtual terminals are web-based and allow your staff to accept payments by telephone, mail order, fax, email, or in-person. You can have as many virtual terminals as you need. IntelliPay’s One Terminal is a good example of a virtual terminal.
Virtual terminals do not require new software or hardware. Existing desktop, laptop, tablet, smartphone, or POS system can host a virtual terminal. An in-person transaction would require the installation of an external card reader. Transactions on virtual terminals are made on payment processor secure systems that use tokenization and end-to-end encryption to protect sensitive data during transmission.
For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.
The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. A virtual terminal frees you from storing sensitive data in your system and minimizes PCI scope and liability.
Tokenization and End-to-End Encryption
Transactions on virtual terminals are made on payment processor secure systems, not your systems, that use tokenization and end-to-end encryption to protect sensitive data during transmission. For example, when a customer gives their credit card information to your staff to input into a virtual terminal, their account number (PAN) is replaced with a randomly generated alphanumeric ID, a token meaningless to everyone except the payment processor.
The virtual terminal encrypts the tokenized information before sending it to the payment processor, which routes the transaction through the credit card networks. Using a virtual terminal frees you from storing sensitive data in your system and minimizing PCI scope and liability.
Simple to Install, Customizable Solutions
Web-based virtual terminals are easy to install and use and offer comprehensive reporting features, simplifying payment management, especially formerly time-consuming reconciliations.
Intelligent payment processing platforms like IntelliPay make it easy to get started with virtual terminals. They offer a virtual terminal solution for every need; all are customizable and easy to install. Customization and set-up are free, and many virtual terminals options are configured within a single business day.
About IntelliPay
IntelliPay has provided traditional (processing costs are absorbed as a cost of doing business) and cardholder-pays the swipe or interchange fee-based options to businesses of all sizes since 2011. To learn more about your virtual terminal options, contact Phillip Buck at phillip.buck@intellipay.com.
