As small and medium businesses begin to re-open following the pandemic, it’s important to do so securely in order to protect customer’s payment card data. Too often, data breaches happen as a result of vulnerabilities that are entirely preventable. The PCI Security Standards Council (PCI SSC) has developed a set of payment protection resources for small businesses. In this 8-part back-to-basics series, we highlight payment security basics for protecting against payment data theft. Today’s blog focuses on reducing where payment data can be found.
It’s impossible to protect card data if you don’t know where it is. What can you do?
When it comes to protecting card data, remember, the less you have, the safer you are! Here are a few ways you can limit your risk by getting rid of unnecessary card data:
- Ask an expert: Ask your payment terminal vendor or merchant bank where your systems store data and if you can simplify how you process payments. Also ask how to conduct specific transactions (for example, for recurring payments) without storing the card’s security code.
- Outsource: The best way to protect against data breaches is not store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider (see page 22 of the Guide to Safe Payments for where to find lists of compliant service providers).
- If you don’t need card data, don’t store it: Securely destroy/shred card data you don’t need. If you need to keep paper with sensitive card data, mark through the data with a thick, black marker until it’s unreadable. Secure the paper in a locked drawer or safe that only a few people have access to.
- Limit risk: Rather than accepting payment details via email, ask customers to provide it via phone, fax, or regular mail.
- Tokenize or encrypt: Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen. Learn more about how using as PCI P2PE solution can help make data less valuable to attackers even if compromised in a breach.
Still working from home? Take this 45-minute training to ensure your work set-up is secure: New Training: Work from Home Security Awareness
Remember, the best way to protect against data breaches is not store card data at all. You can read more about these tips along with more payment security best practices in the PCI SSC Guide to Safe Payments.