Updated by 11.15.2023
Thoroughly Safeguarding Your Business’ Credit Card Transactions
The threat of identity and financial data theft lurks around every corner in the world today.
So much of what we do on a daily basis now involves using our debit or credit cards. There’s a whole lot to consider, as a merchant, when you’re trying to set up the multi-layered ways by which you’ll safeguard your customers’ payment information and data.
All-out safeguarding is no longer just an option. It has become necessary for the sake of PCI compliance, which has become so complex and costly to maintain that you may find it easier and less expensive to outsource your online payment processing.
The most basic, elemental thing you can do is to have in place an Address Verification Service (AVS). This is the most rudimentary safeguard for credit card payment processing. It simply double-checks to see that the address entered by the customer on the payments page matches up with the credit card’s billing address. If they don’t match up, there’s a strong probability that fraud is being attempted.
Related to the AVS is a protocol that checks the billing address against the shipping address. There are good reasons why these two may differ. For instance, the customer may be sending a gift or may want the merchandise shipped to his office instead of his house. Still, this discrepancy ought to be red-flagged and reviewed before the card gets accepted, as it is possibly an indicator of someone using a stolen card and billing address to get merchandise shipped to his own residence.
You’re probably aware of the Card Code Verification (CCV) protocol. This means the customer needs to enter the three or four-digit code on the back of the card (or the front of an Amex card), to prove physical possession of the card. It’s also known, variously, as a card verification number (CVN), card verification data (CVD), card security code (CSC), verification code (V Code), or card code verification (CCV). It is critical that you keep in mind that as a merchant it’s illegal to store CCV numbers. A customer must enter hers anew each time she makes a purchase. This prevents the CCV from being stolen along with the other card info.
Velocity filters are algorithms that red-flag or even deny payments from the same card if too many come within a certain period of time or too rapidly. For instance, many merchants set up a velocity filter to red flag or deny a payment attempt if the same card is entered five or more times in one day. Others may set up one-hour filters, drawing attention to possible fraud if the same card gets entered more than once in an hour’s span. These filters are effective because defrauders will typically try to buy a lot of stuff as rapidly as possible before they get found out or the cardholder reports the card lost or stolen, thereby turning it off.
Maintaining a negative database is a potent way of nipping credit card fraud attempts in the bud. First, it’s imperative that you collect into an electronic file all information on accounts from which fraud was attempted against your business. This needs to include everything except, of course, for a card’s CCV, as it’s not legal for you to store it anywhere. Second, whenever you find out that a legitimate customer’s card account has been compromised, ensure that you’ve got in place a way of removing that card and cardholder’s name from your negative database, perhaps including having the customer enter updated info. Finally, your system needs to have an algorithm to compare newly entered purchasing info against similar data in the negative database and deny the transaction if a match is found.
Are you aware that the Federal Trade Commission FACTA regulation requires a business to properly and safely dispose of customers’ data and financial information that it has stored? What this means for you is, to shred all paper documents and use a hard disk scrubber to wipe all data from hard copy electronic files when the customer’s information has served its business purpose and isn’t needed any longer.
During the period when your business has a need to maintain sensitive personal data on a customer, it ought to be protected by encryption. The very first thing that a cyber-criminal trying to steal someone’s card info looks for is “in plain sight” data. (This is what phishing scams attempt to trick cardholders into giving up.)
Speaking of phishing scams, your merchant website ought to be equipped with a malware detection program. These programs protect against allowing malware onto the site, but if some gets through anyway then they issue immediate alerts to you and your visiting customers so that action can be taken right away.
Within your office, access to customers’ personal and financial information needs to be as restricted as possible. Employees who don’t have an absolute need to know or gain access to this information simply shouldn’t be able to get their hands, or their eyes, on it. Authorized employees who do get access need to be issued special keys (whether physical or digital), and if they’re working out of the office their laptops and devices need to be equipped with a VPN protocol.
A technologically advanced form of information access restriction in the office is the use of computer screen facial recognition programs. These programs cause the information on the screen to immediately become blurry and unreadable whenever the authorized employee turns his face away from the screen, preventing “theft by peeking”.
Use a dedicated server for all of your credit card processing. Yes, this is significantly more expensive than using a shared server. But it’s just as significantly better at securing sensitive cardholder information against hackers. Your customers’ financial integrity and your business’s reputation are worth it.
Finally, have a detailed plan in place in advance to immediately act on any instances when hackers or cyber thieves breach your defensive walls. Alas, no defense is 100 percent secure. By being prepared when breaches occur, the harm can be mitigated and contained.