Maintaining a secure business doesn’t just benefit you; it also benefits the customers who frequent your business and pay for your services. Simply locking your cash drawer isn’t enough if you accept credit card payments.
Fraud costs businesses and consumers alike. According to the Federal Trade Commision, consumers reported over $744 million in fraud complaints in 2016. These complaints can impact the buyer perception of businesses that are breached or neglectful of fraud occurring on their premises.
By implementing a device security protocol, you can stay on top of your business’s PCI compliance and actively prevent fraud.
It’s a best practice to label and store documentation for all the POS equipment you use to process payments. Such equipment could include your credit card terminals, desktop or laptop computers, and credit card readers. Labeling or denoting the serial number, location, model and any associated notes regarding the hardware and its condition will help you spot any discrepancies or signs of tampering.
Establish a routine for examining your devices for signs of tampering. These include the following:
Keep an eye out for USB thumb drives, as they’re becoming increasingly small and are easy to miss when inspecting your devices. To give your POS equipment a full inspection, completely unplug it and examine the underside, the back and the front for anything plugged into ports or attached to the credit card terminal. Do this for all terminals and swipers at your business.
All it takes is one fraudster to start a breach at your business. Formally examine your devices on a monthly basis and keep an eye out for suspicious behavior.
Fraudsters are finding increasingly creative ways to execute their plans. If your business receives an unannounced visit from an unidentified person asking to perform maintenance or fix your credit card terminal, call your provider and inquire about the person before letting them touch your POS credit card terminal or other processing hardware. This person may be attempting to attach a skimming device to your terminal.
Similarly, if you receive a package with replacement equipment you did not order, call your provider before plugging it in and swapping out any of your payment devices.
As a business owner, you might not be at the cash register to spot suspicious behavior at checkout. Foster an environment of vigilance so that your employees can recognize suspicious activity when they see it and can report the activity efficiently to management.
All of the aforementioned security best practices are part of maintaining a PCI compliant business. If you’re having trouble being PCI compliant, you might want to consider partnering with a PCI Level 1 Merchant Account Provider. When you partner with a trusted provider, you’ll receive guidance for becoming PCI compliant as well as opportunities to reduce your PCI scope. This helps you reduce the number of devices that store, process or transmit credit card data so that you can become PCI compliant more easily.
If you’re still using an old-school credit card terminal that isn’t EMV-ready, you’re leaving your business open to another liability. Only EMV- ready terminals can properly process EMV transactions, which are more secure than magstripe transactions. Issuing banks want businesses to adopt this fraud-prevention technology and are incentivizing the measure by penalizing businesses that swipe EMV chip transactions with chargebacks. These bank-initiated chargebacks have nothing to do with purchase satisfaction — they’re merely a means of incentivizing EMV adoption.
Furthermore, because EMV technology is more secure, fraudsters are targeting businesses that are slow to adopt this technology. Make updating your POS equipment a priority to reduce fraud and potential losses due to the liability shift.
Does your business have a device security protocol in place? Have you considered how your credit card terminal could be subject to fraud? We’d love to hear from you!
Editor's Note: This post was originally published in January 2018 and has been updated for comprehensiveness and accuracy.