Protecting the Customer: A Guide to Consumer Data Security

Ensuring the security of customer’s payment information is a challenging issue. It’s also one that’s gotten infinitely more complex thanks to the rise of the Internet and e-commerce. Here are what some of the top minds in the industry have to say on the topic.

From the Experts

From the Experts

Key Considerations for Securing Customer Data

A business can’t get far without customer trust. One of the quickest ways to breach that trust is to lose control of your customers’ data. Every week, we hear about a critical security breach at a major company like Facebook or Equifax. It’s alarming enough when hackers gain access to personal information, but it’s even worse when they get a hold of payment information like bank account and credit card numbers. Hackers can do untold damage to customers’ finances before the companies even realize that there’s been a problem. This guide will deal with the best ways to secure your customers’ most sensitive payment information.

Keep in mind that you need multiple layers of protection, not just one and done. Think of your business as a professional athlete. Hockey players don’t go out on the ice wearing only shin guards underneath their uniforms. They wear helmets, mouth guards, shoulder pads, gloves, and other safety equipment, all of which is designed to work together.

What Hackers Look For

What Hackers Look For

Hackers must be able to figure out the system configuration before they can get anywhere. In other words, they need to know what they’re trying to attack before they can determine the type of weapons they’ll be using. There’s an old cliché about not bringing a gun to a knife fight. It’s kind of like that, except with computers.

Hackers will often be looking to make money by stealing payment information, but that’s not the only reason they do what they do. Sometimes they just like to mess stuff up and watch as the resulting havoc unfolds. Here are five things that make life easier for hackers to meet their nefarious goals.

Bad Passwords

Bad Passwords

We’ve all set up weak passwords when we know we need strong ones, but there’s really no excuse for doing that when other people’s financial information is at stake. We’re long past the days where the worst thing you could do was make your password “password.” Nowadays, hackers are more sophisticated than that. They know plenty of people make their user name and password identical. For example, if your user name is Bill Gates, the password would also be “billgates.”

What if you change a few letters to symbols instead? Unfortunately, that’s not as clever a trick as you think, since hackers have password cracking programs that know to try that as well. Going back to the above example, “billg@tes” is just barely a better password than “billgates.” Avoid the names of pets and family members, too. It shouldn’t be something that rolls off the tongue, even though such passwords are much easier to remember. Remember that if this is easy for you, it’s going to be even easier for the bad guys.

Stored Customer Data

Stored Customer Data

Until 2003, it was common to receive a receipt that contained both your full credit card number and your expiration date. That year, Federal Trade Commission stepped in to order a change in the rules, and now, businesses can’t display more than the last five digits of a credit card, and they must leave the expiration date off completely. Otherwise, merely dropping a receipt on the ground would leave someone vulnerable to credit and debit card fraud.

But 15 years later, it’s not enough to leave critical information off the paper receipts. You must also delete information from your servers as soon as the transaction is completed. Make sure the data is encrypted when it goes through your payment processing provider. Utilize a private network instead of a shared one.

Speaking of payment processing providers, most businesses use a third-party payment processer because it’s easier to offload the work to someone else than to try to deal with it in-house. That’s a valid strategy if you know the payment processing has its act together. If they don’t have a handle on security, then it won’t be long before your company pays the price. One study found that 60 percent of businesses fold within six months of a cyber security attack.

Systems That Aren’t Updated

Systems That Aren’t Updated

Those pop-ups telling you that your computer requires an update are annoying, but it’s also essential that you update your systems with the most recent security patches. If you don’t feel like dealing with the notifications, there’s a simple solution: enable automatic updates. Automatic updates are a way to keep you from saying, “I’ll update the system tomorrow; I’m too busy today.” The longer you go without installing critical updates, the more chances you’re giving hackers to infiltrate the system and steal payment data from your customers.

It also helps to talk to your e-commerce payment partners and find out how often they update the software their customers use. That will let you know to plan for updates every other Wednesday, for instance.

Think of the software that runs your business as a car. Not patching your software is like leaving your car unlocked in an open parking lot and disabling the alarm to boot. There’s a chance that no one will walk by and try to open the doors, but do you want to count on the goodwill of strangers to keep your customers’ payment information safe? If you update your system, then you’re at least making it much harder for thieves to gain access to what they want. Some thieves will still perform the technological equivalent of throwing a rock through your back window, but then they risk setting off the alarm. Make their life as complicated as possible by enabling automatic security updates.

Don’t forget to enable automatic updates on your anti-virus software, too. Your system does have reliable anti-virus software, right? It’s one of the first things you should install on your business computers.

Low-Tech Points of Attack

Low-Tech Points of Attack

Avoid thinking every attack is going to be launched by some far-away college student sitting at a laptop. If you do that, your company is more likely to have lax physical security that makes customer’s financial information vulnerable.

This can happen in a second, like when an employee with sensitive information on their computer takes a bathroom break without first locking their computer. Bad actors who exist within the office can use those moments to swoop in and obtain critical information, all before the employee who left their computer has time to finish drying their hands.

In fact, you should ensure that any employee with access to sensitive customer payment information knows what a big deal it is to have that kind of access. Don’t give that power to anyone who doesn’t really need it to perform their job, and make sure to train them properly before handing over the virtual keys. Make sure to assign each employee a unique PIN that keeps a log of when and how employees are accessing the most sensitive customer payment information. If any employees abuse those privileges, let them know that’s grounds for both immediate termination and a call to police.

When you get rid of sensitive paper documents, do you do that by throwing them away or taking them to a shredder? A shredder is the smarter option by far, but some companies still make the mistake of thinking that no one will be interested in rifling through their trash. When customers’ financial information is at stake, you should be a little paranoid, regardless of if you’re dealing with paper or digital documents. One of the biggest vulnerabilities in any system is complacency.

Non-Isolated Payment Networks

Non-Isolated Payment Networks

If you haven’t already done so, your business is probably feeling the pressure to provide free Wi-Fi to your customers. Free Wi-Fi is a good idea regardless of if you’re running a coffee shop or tire store, but you need to be sure to separate the business activities from the free Internet anyone can use. The networks you use for processing payment should be distinct and isolated from the network your customers use to look up corgi videos on YouTube in the waiting room.

Speaking of separate computers: The computer system you use for payments should not be used for anything else. If an employee can’t access their work computer for some reason, do not let them access the device you use for payments. It doesn’t matter if they say it’ll only take a few minutes. A few minutes is all you need for something to go wrong and the payment information to get compromised. If your social media manager needs to update the company Facebook page to let customers know about a sale or upcoming event, then they should have a device devoted exclusively to that. Think of your payment network as a kitchen that must avoid cross-contamination.

Complying with PCI Data Security Standards

If you don’t meet certain regulations, you risk losing a lot more than customers’ faith in your business. Credit card companies can also pull your right to process transactions on their cards if you run afoul of something called the Payment Card Industry Security Standards Council, also known as PCI SSC.

PCI SSC was founded in 2006. According to their website, PCI SSC is "a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment."

It was founded by credit card giants like Visa, Mastercard, and American Express. If your business isn’t complying with the standards, the credit card police aren’t going to bang down your door and haul you off to jail, but you could be fined. As mentioned earlier, you can also lose your ability to process certain credit cards.

Security Terms Worth Knowing

As a business owner, you need to have a basic knowledge of the following terms.

Secure Sockets Layer

Secure
Sockets Layer:

Usually shortened to SSL, this indicates that the data being exchanged is encrypted. If a tiny padlock appears next to the web address, that means the site is using SSL, as does “https” appearing at the beginning of the URL instead of just “http.”

Secure Sockets Layer

Tokenization:

This provides a necessary alternative to storing sensitive payment information on your server. Tokenization works by generating random characters known as tokens. Let’s say Customer A is paying with a credit card number. Instead of transmitting the actual credit card number, tokenization allows the system to process a random series of numbers associated with Customer A’s credit card. That way, hackers who get into the system won’t gain access to valid payment information.

Secure Sockets Layer

Two-factor authentication:

We use one-factor authentication every time we type in a password to gain access to an account, but two-factor authentication adds another layer of security by requiring you to use a device you have with you, like your mobile phone. If you try signing in with just your password on a new device, then you’ll be sent a verification code on a device that is already trusted. It’s relatively easy for hackers to get your password, but it’s harder for them to gain access to something like your phone.

Monitoring for Signs of Payment Fraud

If you want to keep on top of any signs of fraud, then you need to hire a security company to provide 24/7 monitoring of all payment and customer information systems. That said, there are still some things you can be alert for on your own. Here are a few.

Customers Who Can’t Get Into Their Accounts

Customers Who Can’t Get Into Their Accounts

Are you suddenly getting a lot of calls or emails from customers who can’t access their accounts on your e-commerce website? That’s a bright red flag that someone has gotten into the system for the purposes of accessing customer payment information

One Address, Many Orders

One Address, Many Orders

Online ordering can be a boon to small businesses, but be wary of customers who appear out of nowhere and order a ton of merchandise, all of which they want they want delivered to some far-flung address. If that happens, that doesn’t mean you need to automatically cancel the order. However, you should do some additional digging, including contacting the customer to verify that they do, in fact, want three dozen teddy bears delivered to a single address in Idaho when their billing address is in Florida.

Compromised Payment Terminals

Compromised Payment Terminals

How many payment terminals do you have? Do you know exactly what they look like when secure, as well as what it looks like when someone tampers with the terminals? Thieves can hook up skimming devices to your terminals and grab payment information from your customers. All your employees should be trained to recognize signs of a payment system that’s been compromised, including things like broken seals and new cabling. If someone comes to repair your payment terminal, make sure they have the proper credentials before you give them access. It’s surprisingly easy for a thief to pose as a reputable repairman.

The Chargeback Conundrum:
Limit Chargebacks to Limit Fraud

There are few things business owners dislike more than chargebacks. A chargeback is often but not always fraudulent. There are occasions when a customer will file a chargeback with their credit company because they truly feel like they didn’t get the service or product that they were promised. But other times, large-scale payment theft will result in large-scale chargebacks that can cripple your company.

The Chargeback Conundrum

Picture this: bad actors steal a lot of credit information from a lot of people, then start placing a lot of orders. One by one, each customer realizes their payment information has been stolen. Some report the fraud to their credit card company, which allows the company to flag the account for fraudulent activity, but others skip that step and go straight to filing a chargeback. As a business owner, you have the right to dispute a chargeback, but there’s no guarantee you’ll win. Then the company is out the cost of the merchandise while the customer must order new cards and change all their passwords. No one is happy in this situation except the people who stole the card information in the first place. Good luck trying to retrieve merchandise from fraudsters, too, since many use a level of subterfuge that makes tracing the crime back to them all but impossible.

If you accumulate a record of too many chargebacks, then banks can and will terminate your account, and it’s pretty much impossible to run a business if you can’t find a bank willing to take you on as a client.

To combat chargeback fraud, some merchants will turn to something called blacklisting. In short, it means if something about a customer’s profile is deemed suspicious, then they’re prevented from making any orders. Sometimes a customer will be blacklisted after they file a chargeback, especially if the retailer has reason to believe they committed "friendly fraud" by receiving the item and then denying it ever arrived.

Other times it will happen because the system has declared an address untrustworthy. Should you automatically blacklist certain addresses, credit card numbers, or even countries? Probably not, as that can resemble a game of whack-a-mole. You’re going to hit some targets, but a one-size-fits-all approach like that tends to lead to a lot of false positives. You risk shutting out legitimate customers who might fit a certain profile through no fault of their own.

Online transactions are more vulnerable to chargeback fraud than in-person sales. There are some obvious reasons for this. For one thing, it’s a lot easier to verify that the name on the credit card matches the name of the actual customer when that customer is standing across the counter from you.

Can You Ask for ID with Credit Card Purchases?

If your employee has a question about the identity of the person buying merchandise, then they can simply demand to see ID, right? Not necessarily. There are cases where requiring ID may even violate the terms of the agreement you signed with your card network.

Can You Ask for ID with Credit Card Purchases?

Note that asking isn’t the same as requiring ID before a purchase is completed. In many cases, customers are happy to show ID and prove that they really are who they say they are. But if a customer refuses to play along, then companies like Mastercard and Visa say merchants cannot refuse to accept a payment card with a valid signature on the back.

What if the back of the card isn’t signed? Then feel free to ask for ID and request that the card-holder signs the card in front of you.

Additionally, there are well-meaning state laws that complicate things further. Texas is a good example of this. In 2017, the Lone Star State passed a law aimed at allowing retailers to refuse a card sale if the buyer won’t show ID. But credit card companies have argued that such laws shouldn’t take precedence over the contracts they have with retailers. That can leave retailers in a frustrating state of limbo where they aren’t sure which rule or law takes precedence. If you live in such a state, contact a business group like your local Chamber of Commerce to ask for guidance. If they’re not sure either, it may be worth talking to an attorney versed in merchant-retailer contracts.

What Causes Data Breaches

Not all security breaches are caused by bad actors specifically going after your company. The 2018 Cost of a Data Breach Study declares that 48 percent of breaches are due to criminal attack, while another 27 percent happen due to human error. The final 25 percent get attributed to system glitches.

What Causes Data Breaches

Let’s take a closer look at what those terms mean. We’ve already talked about a criminal attack, but “human error” can mean something like failing to secure your computer’s data when you leave the office for the day. It can mean not erasing vulnerable payment data before it has a chance to fall into the wrong hands. Clicking on a phishing email is also enough to compromise the system, so make sure your employees can tell a legitimate business email from a fake one.

System glitches are otherwise known as process failures. If IT workers set up a system to protect data that doesn’t work as intended, that’s a system glitch.

The study also looked at 11 so-called “mega breaches,” which happened when a company saw more than one million records breached. A company pays an average of $40 million for such a breach, and 10 of the 11 breaches were attributed to criminal attacks.

Sometimes companies find out about vulnerabilities in the system but still take an inexplicably long time to address them. Alarmingly, bigger breaches take a longer time to detect and contain than small ones. You would hope it would be the other way around, but it’s not. It takes 365 days on average for mega breaches, which adds up to a full year. Companies find and contain smaller breaches in 266 days on average.

Zero-day vulnerability means a point of attack that the company is unaware of, or an attack that happens the first day the company figures out the vulnerability exists. By contrast, a 7-day vulnerability would be a point of attack that’s been known for seven days.

What to Tell Customers About Breaches

It’s a mistake to think these kind of breaches only happen at gigantic corporations In 2015 and 2016, almost half of small businesses had a data breach. When that happens, business leaders will be torn between two impulses. The first impulse tells them to fix it as quickly as possible without informing any customers. The second impulse suggests being as open and transparent as possible in hopes of reassuring your customers that you’re doing everything you can to mitigate the issue.

What to Tell Customers About Breaches

In many cases, the law requires you to go with the second option. Per the FTC, a majority of states have passed laws requiring you to notify customers that their personal information has been exposed. When figuring out what to tell customers, the FTC suggests considering four factors in addition to state laws.

  • the nature of the compromise the nature of the compromise
  • the type of information taken the type of information taken
  • the likelihood of misuse the likelihood of misuse
  • the potential damage if the information is misused the potential damage if the information is misused

Be careful to distribute the information in a way that doesn’t confuse people or, in a worst-case scenario, incite panic. Giving out vague or incomplete information can be worse than not saying anything at all. If you need to say something immediately, release a statement saying that you’re aware of a breach and are working to gather more details.

Then release what details you can as soon as you have them. Don’t hide behind a lot of company jargon or buzzwords; customers can see right through those. Similarly, you don’t want to treat this like a big joke, so avoid having your social media team Tweet out something like “Big data breach. Hope you weren’t too attached to that Social Security number.” You may think that your company would never do that, but something about social media makes even the smartest people act stupidly.

Notify relevant law enforcement authorities as well, since they have a stake in making sure you don’t release information that could compromise their investigation. But here’s what the FTC suggests releasing to customers and the world at large:

Conclusion

Your customers know that the job of a business owner is first to have a profitable business. They don’t expect it to be otherwise, but they also don’t expect you to cut corners in a way that will leave their payment information exposed to hackers. Cybersecurity should be a key foundation of your business, not something you address sporadically whenever you have downtime.

It only takes one data breach for you to ruin the relationship you’ve worked so hard to build. Do everything within your power to stay one step of bad actors, but if you get hacked anyway, then come clean to your customers as soon as possible.

Additional Resources