Occasionally lax security by some merchants enables criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.  It’s a serious problem – more than 234 million records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. As a business or nonprofit accepting donations, you are at the center of payment card transactions so it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.

Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Today, we will focus on a main concern for any business that accepts payments.   For example, Michael’s was a recent example of the vulnerabilities of even the enterprise level businesses.

What is Card Skimming?

Advanced – and inexpensive – technology continues to give criminals new methods to steal cardholder data from businesses of all types.

Traditional card skimming involves a small reader device that has been placed on a point-of-sate terminal.  The device allows debit and credit card transactions to be processed normally, but it also captures your customers’ cardholder data.  One of the problems is that new skimming techniques are hard to detect because the devices are placed inside the point-of-sale terminal.

How does this happen?

In some cases criminals pose as “service personnel” in order to get access to merchants’ terminals.  The criminal tamper with and possibly even drill into the point-of-sale terminal or finds another access point to install the skimming device.  To cover his work, they use labels or stickers with information that appears to took valid.   If you have a point of sale software program and swipe terminal that does not “encrypt” or “tokenize” the card data immediately, they may even be able to install a “malware” program on your point of sale computer without your knowledge.   In the right instance, this can even be done through an internet connection to your computer.  This program would work in the background to send all of your customers’ data to the black market.

What can you do to help protect your business and your customers?

  • Ensure that your hardware and software are updated so that your customers’ cardholder data is not stored after a transaction has been processed.  Install a robust anti-spyware software on any point of sale computers.
  • Become familiar with your terminals’ official stickers, devices and cables.
  • Routinely inspect payment terminals to make sure there have been no changes in serial numbers or other labels on the devices.
  • If you are going to receive a new terminal
  • Question anyone who comes into your business and tells you they need to “service” your point-of-sale terminals.

What is being done in the industry to protect cardholder data?

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually – by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Interested in learning more about the importance of PCI compliance? Our secure payment gateway solutions can safeguard cardholder data at your business.

Learn More About PCI