Why Data Security Concerns Small Businesses

Why Data Security Should Concern Small Businesses (and All Businesses, Really)

Given the culture of mainstream data security breaches we’ve been unwittingly thrust into beginning in about 2013, I think it goes without saying that PCI compliance is vitally important, not just in the world of payment processing, but in the world of business in general.

Oh, PCI compliance… I’m talking about that item that never fails to pop up on your credit card processing statement.  It’s that one thing you’re always billed for, no matter whether it’s in the positive (PCI compliance fee) or the negative (PCI noncompliance fee).  Funny little line item it is.

For some business owners, that’s all it will ever be – another annoying, unexplained little line item in an entire world of more pressing business issues.  Maybe something a bit like car insurance – an expense whose worthiness won’t be proven until the day of a catastrophic, metal-twisting wreck.  As a business owner, does a data security breach as you grow your business really concern someone like you?  Or, is this just a game the giants play while anyone smaller than Goliath watches from the bleachers?

Lately, all signs seem to say that yes, business owners – even small business owners – ought to be quite concerned with data security breaches.  Breaches are actually down worldwide from two years ago, but, as our buying culture moves slowly but surely to credit from cash (and our general habits from physical to online), fraudsters and hackers see the channel as a very viable road to profit.  Although PCI noncompliance is just one cause of data security breaches, taking a look at compliance and general payment security pointers can benefit all business owners, as security flaws are usually extremely correctable.

This piece isn’t meant to alarm you; instead, it’s more of a wake-up call for businesses who’ve relegated PCI compliance to the back burner – or, didn’t put it on the stove at all.  Better at least cover that pot if you’re keeping it out overnight.

So, what is PCI compliance, then?

Basically, it’s the security of credit card information – that is, how safe you’re keeping it when and if you’re storing it.

Some aspects of PCI compliance are thoroughly under your control.  For example, when faced with the decision of whether or not to copy down a customer’s credit card number to enter into your accounting system or credit card terminal later, you can choose not to, knowing well that paper trails, even destroyed ones, can increase your fraud liability.

And, other aspects are thoroughly out of your control.  For example, you may be using a payment processing program that keeps unprotected credit card information stored on your business’ server (and, though it sounds crazy, there are programs that do just that).

Do you have a Target (or a Home Depot) on your back?

It’s an unfortunate circumstance of today’s media coverage that the big guys get most (if not all) of the attention, while the little guys get next-to-nothing.  Contrary to what you may have heard, small businesses are a favorite target for hackers.  This white paper shows that 70% of all reported data security breaches happen in small businesses – a truly incredible, harrowing statistic, telling a much different story than the one you’d understand by only reading headlines. 

The headline stories make sense; compared to the enormity of the Target and Home Depot data breaches, the small business ones are…well, quite small.  Though they may be small enough to dip underneath the radar completely, they’re certainly a big story to the business owners they affect.

Data breaches can be murder

I don’t mean for you as a person, obviously.  But, to your business?  That’s a yes.  The National Cyber Security Alliance stated in a report that when a small business is hacked and has its customers’ information compromised, it has a 60% chance of closing its doors within six months of the attack.

When you look at that statistic in tandem with the aforementioned one about how 70% of all reported data breaches occur in small businesses, it’s not quite a death sentence for small businesses – but, it’s close.

Especially in our age, hackers and fraudsters are more skilled than ever before, and, they’re very aware of the fact that small business owners think they’re too small to be viable targets for information breaches.  Incidentally, they’re also too small to be seen by most anyone when they’re broken into, so nobody ever thinks to change their own security tactics until ex post facto.

Don’t be the next unseen statistic

You don’t have to be another story nobody hears about.  Now that you know about all this negativity, you’ll be quite pleased to know it’s not difficult at all to protect yourself from invisible hackers and others who don’t have your best interests in mind.

Regardless of security breaches caused by hackers, it’s pretty easy for anyone to straighten out a rumpled piece of paper you used to copy down someone’s credit card number.  Indeed, this isn’t what most people think of when they hear that term data breach, but if anyone recovers that trashed piece of paper you used, you’ll be liable for any consequences that may arise just the same.  Just resist the urge to engage in that practice, and, if you’ve absolutely needed to do so in the past (for business procedures, direct orders, or any other reason), it may be time to revise standard procedure.

Additionally, if you use a computer-based credit card processing system that stores full, unprotected credit card numbers on your own server (read: is not PCI compliant), it’s time to look into an updated solution, something that fits today’s security standards.  Solutions that employ tokenization technology, for example, break sensitive data into strings of random numbers when in storage, so anyone who successfully breaks into a server storing the information doesn't get anything worthwhile - only garbled strings of characters.

If you used a cloud-based processing system, for example, you wouldn’t be liable for a data compromise the same way you would if you used something that stored information on your own servers.  If you aren’t sure about the status of your own processing system (for example, where it stores information, whether or not it’s even cloud-based), it never hurts to ask your credit card processor or search for reviews of the product you use that relate to PCI compliance and data security in general.

So, what is the value of PCI compliance to small businesses?  It’s much more than a little line item on your statement; the very survival of many businesses depends on it.  Be absolutely sure your own business maintains PCI compliance to avoid any potential pitfalls, and rest easy knowing that your customers’ payment records are safe because of something you did for your business.  Because, as a small business owner, you’ve got a lot more to pore over than fretting about losing your business because of an entirely avoidable data security lapse.

There’s a New Payments Advocate in Town – and it’s the Government!

They've formed something called the CPTC - and, the PIC.  

But... What do they do?

If you follow this blog, you know I’m all about electronic payments.  But, I’ll bet you didn’t know that as of a month ago, the government is all about electronic payments, too!

It’s true.  On March 19^th, Washington issued a press release announcing the formation of a new discussion group, the bipartisan Congressional Payments Technology Caucus (CPTC).  The bipartisan caucus, headed by four US Representatives, will discuss how innovations in payment technology affect all consumers, especially the segment of consumers who aren’t tied to any physical bank, as well as data security.

As well, on April 9^th, four US Senators formed the bipartisan Payments Innovation Caucus (PIC).  Like the CPTC, the PIC will explore data security trends, general payment innovations, and how those innovations protect consumers.

Both the CPTC and the PIC exist not only to foster discussion among congressmen, but to spread awareness of payments technology issues and, in doing so, move contents of the discussions onto the appropriate law-making forums.

What does this mean?

I say it’s about time Congress got on board with electronic payments.  I guess after years of silently developing a hold on our collective hearts, first with simple credit cards, then with mobile payments and digital wallets - and then breaking many of them with those nasty data breaches - someone had to take notice.

It’s a very good thing, because according to an article from Senator Gary Peters (D-MI), a staggering 70% of consumer spending happens electronically (although the difference between card payments and ACH transactions isn’t specified).  He says that by 2017, consumers will be spending $7.3 trillion per year electronically.  (For more stats on current usage as well as the advancement of payment security in general, you can check out this white paper, Payment Security and Beyond in 2015.)

So, does this mean law-makers will take action that involves credit card payments and data security?  Will the government’s involvement in payments mean more support for small businesses?  A global shift in credit card processing costs?  All things remain to be seen, and, since we’re talking about a government operation, we can expect a snail’s pace.  But, it’s something.

3 Cash-Saving Tips For Adult Merchant Account Owners

Do you have an adult merchant account?  

Yes, you!

As someone doing business and taking credit cards in the adult industry, I'm sure you've heard just about everything in the book - and, I'm also sure a lot of it's negative crap, too.  Adult industries and adult merchant account owners in particular get the short end of the stick in today's wonderfully ambivalent, ambiguously sexualized-but-wait-not-really world we're a part of.  When it comes to adult credit card processing, it's a freaking jungle out there.  What are you to do?

This post is here to help address common problems adult merchant account owners or would-be-owners have with getting decent, competitive costs on their credit card processing.  It's a little more difficult to do than it is for run-of-the-mill businesses, but it's attainable.  Read on!

How to get decent rates on your adult merchant account

Take notes, 'cause this might be on the final.

Suggestion 1: Take control of your chargebacks by obtaining extra information

One of the chief reasons an adult merchant account is considered part of a high risk business is because of the chargebacks you'll often incur.  Chargebacks occur when customers (claim they) aren't satisfied with your products or, more often, when they don't remember ordering them, so they file a dispute with their credit card provider looking to get their money back for the product they ordered from you.  Winning a chargeback battle can be difficult if you don't provide adequate information about the credit card and transaction itself, so you should be absolutely sure to:

• Make sure your customer gives you the CVV code from the back of his credit card.  This is just another piece of information that helps verify the card wasn't being used fraudulently.
• Make sure the customer gives you his billing address.  You'd want this for the same reason you'd want a CVV code.
• For retail adult stores, invest in EMV technology.  EMV isn't mandated yet, and, certainly not everyone uses EMV credit cards yet, but, when the time comes, EMV will reduce fraud pretty significantly because EMV credit cards are inherently harder to replicate.  An EMV-enabled terminal costs you $200 or so.  It's a great investment.

Supplying the extra detail and using EMV card readers won't help you win every chargeback, but it will help you win more than you're winning now.  And, fewer chargebacks mean lower costs for you because your processor doesn't need that extra insurance against your would-be fraudulent transactions.  Everybody wins.

Don't let this happen to your poor customers.

Suggestion 1a (or 2): For retailers, give your business an innocuous-sounding name so your customers (or their significant others) don't freak out at their monthly statement

This may seem silly, but it can help reduce chargebacks as well.  You may not be able to control what products of yours your customer chooses to bring home, but you can control how your business is presented on his credit card statement.  Regardless of the actual name of your establishment, which I recommend you keep so as not to turn away legitimate business, you can choose to you have your adult novelty business show up differently on someone's credit card billing statement.  Using the name of a bookstore or referencing the name of the street address of the business are both tactics you can use.  Be a little creative!

Why isn't this you yet?

Suggestion 3: For wholesalers and manufacturers, use a processing method that can obtain the best base costs on business-type credit cards

Some business owners aren't aware that business cards have a few different set acceptance costs based on how much extra information is provided along with each transaction - that is, the more information you provide, the less you have to pay.  And, of the business owners who do know about these lower costs, not everyone knows if their gateway will accept the information, or even how to do it.  Here's what I suggest:

• If you don't use a virtual gateway for credit card processing (i.e. you're still keying cards into your black box terminal), start there.
• If you do use a virtual gateway, ask your processor if you're getting the lowest costs for business-type credit cards.  They may be able to help you.
• If you know you're getting some discounts from card qualifications, ask your processor what steps you can take to get all the business-type cards you take to qualify correctly.  They may be able to help with that, too.
• If your processor is unable to help you, it may be time to choose another credit card processor.

This is another solution that isn't the entire package but will help lower your costs somewhat.  Again, this is only pertinent to wholesalers, distributors, and manufacturers.

I know it's a little harder than usual to get decent credit card processing as someone who wants an adult merchant account, but, it can be done.  Cost savings are part of the battle, and, by at least utilizing point 1, you'll be doing both yourself and your processor a huge favor, because without the chargebacks, your risk level drops significantly.

Happy trails,

Jeremy

MOTO Credit Card Processing is Dead

(or, 3 tips to make it in MOTO business today)

Well, you heard me.  MOTO credit card processing as it was known at its inception is dead.  What comes to mind when one pictures MOTO credit card processing?  A businessperson typing a card number into a credit card terminal, right?  The technology in those terminals is approaching the age of dirt.  And, even more importantly--because some of us enjoy collecting classic items--that old technology is responsible for 85% of the card-not-present downgrades on monthly processing statements and 75% of the shoddy reports generated by harried accounting staff members.

Okay, so I’m totally lying about the numbers.  The point—that transactions are downgraded terribly and reporting tools are nonexistent with physical terminals—is absolutely valid.  If there were a way to measure shoddiness of reports as a function of harriedness of accounting staff from the general crappiness of the quality of life due to the oldness of your physical terminal, there would probably be a positive correlation.

MOTO credit card processing as you probably know it has outlived its expiration date.  If you know it as something else than what I’ve described, be happy you didn’t have to live through the golden (expensive, stressful) years.  You don’t have to take notes today.  However, if you have no idea what could ever replace your credit card terminals in the scheme of your business, you’ve arrived at the right place.  It’s time to get down and dirty.

MOTO credit card processing tips

1.  With the internet all things are possible (especially improved payment technology)

The internet has improved human life tremendously—or, rather, it’s sped everything up and made it easier to pass information around.  How does this apply to MOTO credit card processing?  Well, nowadays, you have options other than the physical terminals you might be using.  Take, for example, the virtual terminal:

If you're not familiar, it'll look something like this.  Pretty nice UI, and intuitive reporting tools.

Important to know about your virtual gateway:

• You can access your online gateway from anywhere with an internet connection, not just your office.
• Most virtual gateways are equipped with built-in searching and reporting tools, which are absolutely invaluable for copy requests, other audits, and simply reporting things at the end of the day or month.
• Some virtual gateways can be equipped to integrate to your accounting system (like QuickBooks, or wherever else you might create and reconcile invoices), which brings about a whole host of other benefits.  There’s no better way to catapult your business into the 21^st century than with a payment integration—and, your accounting staff will agree.

2. You can utilize payment channels other than mail and telephone

I know MOTO stands for Mail Order/Telephone Order, but in the past decades, that business model has expanded to include online orders, either via email or shopping cart.  Strongly consider whether or not your customers would benefit from the addition of an email payment portal, or a web shopping cart.  Maybe your website isn’t much to look at, or—good heavens—maybe you don’t even have a website.  Whereas payment integration can help almost everyone, adding a web shopping channel might not be for you if you have a well-established client base and you aren’t worried about not attracting Joe Average consumers.  But…I would wager that this idea helps more businesses than it hurts.  I mean, adding visibility and more payment methods can never hurt.

Shopping carts give you access to SO much useful data!  Makes me want to start my own business.

Important to know about an online payment method for your customers:

• This is the age of automation.  Usually, if people have the opportunity to use an email portal or shopping cart for payment, they will.  That means orders come to you without you having to answer the phone.  And, that saves time.
• You can automatically import your online payment data to your virtual gateway with information from other payment channels (like telephone) and make your reporting even easier.
• Some shopping carts (like Magento) are designed to lower the base costs of accepting certain credit cards for payment.  Depending on your potential for online orders, this could be a great windfall.

3. The importance of PCI compliance can’t be overstated, so use a compliant solution

In light of the mainstream data breaches you've undoubtedly heard or read about, this point can't be stressed enough.  Using a virtual gateway or an integrated processing solution has the potential to significantly increase your data security, and decrease your chance of becoming the next mainstream news story.

Important to know about PCI compliance:

• It’s easy to believe you’re invulnerable to hacks since you use a physical terminal—but, it simply isn’t true.  Hacking into phone lines isn’t terribly difficult; an entire subculture of phreakers could attest to that in the 1980s. 
• Using a virtual terminal secures your data, and, using a tokenized data solution makes the data even safer than with a conventional virtual terminal.
• Solutions like these are in high demand given the past few years—and, contrary to what you might believe, these solutions are usually available at no additional cost, as modern processors have adopted PCI compliance as a standard.

The beginning of something great

When something dies, something invariably takes its place, and we’re witnessing the implementation of some really cool payment processing options.  (I don't know about you, but I really like it when I can get a machine or a computer program to do instantly the work I would have spent 30 minutes doing, all while offering me a higher standard of data protection.)  Request a virtual terminal demo from the merchant services provider of your choice, and talk to several companies about what new MOTO credit card processing options will do for you.  I think if you give these options a chance, you’ll be pleasantly surprised at how much your business is improved.

Until next time,

Jeremy

What on earth is EMV?

He's ready to learn.  Let's get moving.

These days, EMV chips are all the rage in Europe, and, with their official USA ETA in October 2015, they’re coming on over to stay in the United States as well.  You might have an EMV card now, or maybe you’ve seen a few of your customers present them to you for payment.  But, aside from looking high-tech and probably having to do with security, just what’s going on with these EMV chips?  Here are five quick details to take with you.

1.   EMV chips don’t significantly change how cards are used, but they really only work for card-present transactions

As the EMV chip is a physical feature of a card, it interacts with another physical object for its security: an EMV chip reader.  For card-not-present transactions, all information is transmitted manually over a phone line or the internet, so the chip’s security won’t have any use at all in those situations.  Aside from the physical aspect of having EMV chips, newer credit cards look the same as their older counterparts.  (Eventually, the magnetic stripe on EMV cards will fall out of use as businesses update their hardware, as all pertinent transaction information can be gathered through an EMV chip anyway.)

2.   The EMV shift will cost businesses and banks a good deal to implement

Replacing a couple of credit card terminals might be annoying, but it isn’t terribly expensive–I’ve seen EMV-equipped terminals for $300, give or take about $50.  But, what if you own a retail store with four credit card terminals?  What if you operate an independent grocery store and you need to replace ten?  Considering those possibilities, it’s no wonder many business owners are trying to shelve their updates for as long as possible.  And, it isn’t just retail businesses that are feeling the pain.  Banks have their work cut out for them, what with the nearly billion older credit cards in circulation now.  And, let’s not forget their ATMS, which will all have to be equipped to read new EMV debit cards.

3.   October 2015 is the deadline to update your card-reading hardware, but you probably won’t see overall compliance until much later

October 2015 marks the liability shift—the point at which businesses become responsible for fraudulent charges resulting from EMV-equipped credit cards used with standard mag stripe-reading terminals.  Some businesses will be slow to adapt to the new rules, however dire the punishment for not doing so, simply because of the expense of updating hardware.  You may very well have $1200 lying around to spend on four new EMV terminals, but, you may not want to part with it because you don’t see the need—not yet, anyway, because you haven’t been hit by fraud… It’s a waiting game, though.

4.   EMV chips do prevent fraud nicely, but it’s still possible to pull a fast one on card-issuing banks

In October of this year, a fraudster team in Brazil reportedly captured credit card data from a real EMV-equipped credit card, and then manipulated information like credit card numbers, issuing banks, and acquirer IDs, to fabricate other transactions on the fly that looked quite real with the addition the captured EMV information.  According to this article, the fraudsters played off the notion that banks’ fraud controls would be looser for EMV-signed transactions—and, indeed, they were, as banks automatically approved the charges due to the presence of the additional EMV information, however false it was.  These so-called replay attacks aren’t so common, but can occur from time to time if someone’s head is turned away at the wrong time.

5.   There are two different potential EMV systems to put in play, each with distinct advantages and disadvantages

When businesses choose to upgrade to EMV technology, they will have another choice to make: whether to use a chip-and-PIN system or a chip-and-signature system.  Chip-and-PIN systems are the inherently more secure option because their requiring a PIN (verified by the EMV chip) with every transaction makes it much, much harder for thieves to use a card fraudulently at that kind of credit card terminal.  As expected, a chip-and-PIN system requires the use of a special PIN pad, which costs businesses money to use.  Bearing that in mind, there is another, somewhat less secure method businesses can use to secure their EMV transactions: the chip-and-signature system.  The major factor chip-and-signature systems bring to the table is their lack of a PIN feature.  Signatures add a small veil of security, much like signatures for purchases with conventional credit cards, but the problem is signatures can always be replicated, and, as anyone who’s ever used one of those battered electronic styli and pads at a grocery store can attest, it really doesn’t matter what the hell you sign.  Predictably, businesses tight on cash will opt for the less secure chip-and-signature method in the interest of cutting costs—until they’re affected by fraud themselves.  So it goes!

By now you understand I’m full of it; brevity isn’t my strong suit

Those weren’t fast facts at all, but, hopefully they were substantial facts and you come away from this ready to win some bar bets.  In all seriousness (I know!  In this blog?!), EMV is a big deal because it’s the first real update to the credit card itself since its (mainstream) inception in the ‘70s.  Cards are going to look a little different, and business owners and banks will have to front the cost of these upgrades; that’s just the system we’ve built.  Security will likely be much better in the future, though, and we won’t have as many of these nasty fraud stories to talk about.

Cheers,

Jeremy