As news of cyber attacks and breaches seems to make international headlines every other week, you might be wondering what your business can possibly do to protect itself and your customers’ payment data. After all, even massive companies seem to be susceptible to the devastating effects of data breaches. Last year, Home Depot agreed to pay nearly $20 million to consumers in compensation after intruders stole the payment card information of more than 50 million people. Even more severe than the Home Depot breach was the theft of roughly 40 million Target customers’ payment card information, which resulted in a $39 million settlement in December 2015.
Perhaps even worse than the immediate financial costs of a settlement after a cyber attack, however, are the negative effects on your business reputation. In the aftermath of a breach, your company’s stock price will likely sink as investors get skittish, any pending business deals may fall through, and your customers will lose trust in your ability to secure their personal information. All of these repercussions are unpredictable and unquantifiable, yet they can wreak havoc on your short-term and long-term business strategies. And, it doesn’t matter what industry you’re from or how big your business is, every single business needs to be aware and vigilant.
It’s no longer sufficient to rely on “security through obscurity,” hoping that you’re too much of a small fish to be the target of a breach. Neither is it enough just to tick off the boxes of whatever security checklist you have and call it a day, assuming that doing the bare minimum is enough to defend yourself. So what can you do to lower your risk of data breaches and protect your customers’ payment data?
Best Practices at Your Business
Cybersecurity begins at home, and there are a number of things you can do within your company to minimise your risk of an intrusion. On the technical side, you should always keep your computers up-to-date with the latest versions of your operating system and web browser. Automatic software updates should be turned on to give you the latest security patches and fixes. In addition, security solutions such as firewalls and antivirus software should be installed on all machines.
Even the best technical solutions, however, can be thwarted by common human errors and oversights. You also need to draft and implement a comprehensive cybersecurity policy that all of your employees must follow. For example, you need to carefully monitor the use of external media such as CDs and USB drives to avoid introducing malware onto your company’s systems and to stop data exfiltration from insider threats. If you have a “bring your own device” policy at work, make sure that these devices log on to your servers using a secure connection, such as a VPN (virtual private network). Train your employees to recognise common scams and fraud attempts, such as phishing emails and malware.
If you contract your data out to external vendors, make sure that they agree to follow the same policies that you’ve put in place internally. The Home Depot data breach, for example, happened after malicious actors stole the necessary security credentials from a third party who contracted with the company. Access to sensitive customer data should be restricted only to those users who explicitly need it at that point in time.
Many of these points are incorporated within the gold standard for credit card information security, PCI DSS (Payment Card Industry Data Security Standard). If you’re truly lost as to where to begin, fulfilling the PCI DSS requirements is an excellent way to get started and reassure your customers that you’re taking steps to protect their information.
Strong Technical Solutions
Once you’ve implemented the above ideas, there are a number of additional, more technical methods that are highly recommended for safeguarding your customers’ payment data.
First, payment information within a database should be encrypted, meaning that the data is actually transformed via an encryption key and algorithm and stored in its altered condition. Without the original key, the information becomes unreadable to anyone examining the obfuscated data.
A similar technique is known as tokenisation. When credit card data is tokenised, it’s removed from your own internal network and replaced with a randomly generated token. You can use this token to access customers’ data, which is stored with a third party that requires you to verify your identity, but it’s worthless in the hands of a malicious actor.
When your data is “in motion,” it also needs to be protected while in transit. Using a protocol such as SSL (Secure Sockets Layer), one of the most widely used choices for validating the identity of a server or website, reduces the risk of an intruder intercepting the data. In addition, you need to make sure that your customers’ data is secure at the point of entry by using a system with built-in security and fraud protection.
Your customers’ payment information is some of the most important data that your business has, for both you and them. However, remember that your company’s cybersecurity strategy is only as good as its weakest link. Make sure that you educate yourself on cybersecurity best practices and choose a strong payment technology solution that you can trust to keep your customers’ data safe.