What Can I Do To Prevent a Data Breach?

As a merchant and business owner, you are aware of how important it is to protect your customer’s sensitive information. At Jefferson Bank, we are committed to helping you keep your customer’s information secure. To help in this effort, we have outlined some precautions and strategies to help prevent a data breach within your business. Safeguarding customer information incorporates sound business practices and internal controls, resulting in strengthening the customer loyalty and trust you have worked so hard to earn.

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual. Data breaches mostly involve personal and financial information such as credit card or bank account information. Data breaches are on the rise and there are steps merchants can and must take to ensure credit card fraud is not perpetrated from your place of business. Fraud prevention is a critical step that allows merchants to protect customer information and complete transactions with peace of mind. It is important for merchants to implement additional security steps to remain proactive in an attempt to combat fraud, such as properly training your employees on credit card acceptance.

Be aware of POS Swap Attacks/Scheme

Any merchant can fall victim to this type of fraud because device swapping can occur without being detected. Typically, this attack/scheme begins when criminals target a single store, or multiple stores in various locations. Often, fraudsters will work together to distract employees away from the POS (credit card) terminal, so that the swap can be made. Other times, the criminals simply replace the credit card equipment or PIN Pad when staff leaves the terminals unattended. Occasionally, criminals even resort to collusion with employees, or even use threats of violence to get the devices replaced. PIN entry device security requirements set by the Payment Card Industry Security Standards Council (PCI SSC)¹ require PIN pads to include technology that makes tampering evident.

To aid in preventing POS Swap Attacks we have incorporated three security steps so that you, as a merchant, can be more vigilant.

1. Be PCI Compliant - Retailers must ensure compliance with PCI security standards for PIN entry devices. Compliance mandates that PIN pads be tamper-resistant, tamper-proof and tamper-evident. If you suspect that your terminal or PIN pad has been compromised, take immediate action by contacting FiTech by Deluxe^®, our trusted provider of merchant services equipment, at (844) 822-1281, at any time, day or night.
2. Hire Cautiously - Owners are challenged with hiring employees that understand the importance of handling confidential information and are committed to securing this information on every day business transactions. During the hiring process, you must incorporate strategies which include background checks that might help eliminate candidates who could be in collusion with fraudsters. Employees are exposed to proprietary information and employers must take all steps necessary to ensure information remains confidential and secure.
3. Assess the Risks - If one retail location falls victim to a POS swap attack, take a risk assessment of all other locations in your merchant chain. Consider hiring a third party organization to perform the security review. You might prevent patterns in which employees are routinely leaving POS devices unattended and open to theft or tampering.

e-Commerce (Internet) Security

We know that processing credit cards is vital to efficiently running your business, and that includes doing everything possible to protect the data being transferred over the Internet. If you process credit cards sales electronically through the Internet or a form of wireless connection you must take extra precaution with hacker attacks.

Use of password management, access controls, firewalls, “border” firewalls, and encryption methods make it tougher for hackers to locate your computer and get into your programs and files.

• Take extra precautions with secure data. Encryption software is required in order to protect account information when processing online transactions, while ensuring that data cannot be accessed. Firewalls can provide the needed protection for customer information, or by storing the information on a separate computer without internet access.
• Never allow employees to use a credit card accepting PC for personal business. Computers used to connect to credit card processors for sale authorizations should never be used for Internet browsing, personal emails, or for communication with vendors.
• Assign a dedicated port for the processing of credit card sales and do not open or share the port for any other purpose.
• Use encryption if you allow vendors remote access to your computer, such as service providers that troubleshoot and update software you use to process credit card sales. Change any vendor-supplied default passwords to a more secure, strong password.

Safeguarding Customer Information

It is imperative for all Merchants to secure customer information to prevent unauthorized access to proprietary information. The merchant requirements for safeguarding customer information are listed below:

• Secure Storage — Merchants are responsible for ensuring that customer information is kept in a secure location that has limited access to individuals. Card information should not be stored or cardholder information should not be provided to anyone unless requested by a merchant bank, card issuer, or third-party processor for the completion of a sale. Transaction receipt retention periods vary based on VISA USA and MasterCard International operating regulations².
• Prevent Employee Fraud — Security policies should be designed to prevent access to information by unauthorized employees and potential fraud scams. Whenever possible, account numbers should be encrypted or scrambled during the transaction. Terminals may also be setup to require a password before processing transactions. This will allow additional security of cardholder information. Only authorized personnel will have access to this information. Contact FiTech at (844) 822-1281 to determine if your terminal will support this feature.
• Daily Batching Required — Merchants are required to settle their credit card sales activity daily. This will not only allow merchants to receive funds expediently but will also provide additional security by preventing unauthorized personnel access to card information in the terminal or PC.
• Monitor Sales and Bank Account Information – Merchants should remain diligent and monitor all sales activity that is processed using your merchant ID. Jefferson Bank offers FirstView that enables you to monitor your credit card sales activity³ and view your merchant statements online. You can also stay updated by signing up for our free online banking service that enables you to monitor your business checking account activity. Please contact FiTech to get setup with FirstView. If you are interested in our free online banking services you can logon to jeffersonbank.com and get signed up today.

Tips for protecting confidential business information

• Empty the mailbox—do not leave any mail easily accessible overnight.
• Incoming faxes—collect incoming faxes frequently to avoid exposure of sensitive information.
• Emails—encrypt emails that contain sensitive information
• Shred—sensitive information should be shredded immediately to prevent unauthorized access to information.
• Access instruments—be cautious with any keys, passwords, entry-codes; do not leave any information lying around for someone to access.
• Unauthorized individuals—be observant of any unauthorized personnel in your workplace.
• Documents—secure sensitive information from your work area at the end of the business day to avoid unauthorized access.
• Computer—be cautious of what information others can view on your screen; secure information should be protected when others are around.

What about the bottom-line impact

It is important that merchants understand their liabilities for non-compliance with securing cardholder information. Liabilities may include losing the ability to accept credit cards, fines which may include reimbursement of transactions processed on stolen cards, and fees associated with reissuing stolen cards.⁴ It is the merchant’s responsibility to remain diligent in securing cardholder information. This will ensure customer confidence and continued business.

¹The Payment Card Industry Security Standards Council is responsible for the development, management, education, and awareness of the PCI Security Standards. The Council’s made up of American Express, Discover Financial Services, JCB International, MasterCard World, and Visa Inc. These five founding global payment brands agreed to incorporate PCI DSS as the technical requirement of each of their data security compliance programs. Please visit www.pcisecuritystandards.org to find useful information about the PCI DSS requirements for merchants that was created to mitigate data breaches and prevent payment cardholder data fraud. ²Visa International Operating Regulations can be obtained by visiting www.usa.visa.com and MasterCard Rules can be found by visiting www.mastercard.us. ³Merchants will have access to credit card acceptance activity the following day after batching. ⁴Each card brand has their own penalty provisions, you can visit the following sites for individual card brand details: http://www.visa.com/cisp; http://www.mastercard.com/sdp; http://www.discovernetwork.com; and http://www.americanexpress.com/datasecurity.