Small and medium businesses around the world are increasingly at risk for payment data theft. Nearly half of cyberattacks worldwide in 2015 were against businesses with less than 250 workers, according to cybersecurity firm Symantec. In order to help these companies protect themselves and their customers, the PCI Security Standards Council (PCI SSC) Small Merchant Taskforce has developed a set of payment protection resources for small businesses. In this series, we highlight security basics from the Guide to Safe Payments for protecting against payment data theft.
It’s impossible to protect card data if you don’t know where it is. What can you do?
When it comes to protecting card data, remember, the less you have, the safer you are! Here are a few ways you can limit your risk by getting rid of unnecessary card data:
- Ask an expert: Ask your payment terminal vendor or merchant bank where your systems store data and if you can simplify how you process payments. Also ask how to conduct specific transactions (for example, for recurring payments) without storing the card’s security code.
- Outsource: The best way to protect against data breaches is not store card data at all. Consider outsourcing your card processing to a PCI DSS compliant service provider (see page 22 of the Guide to Safe Payments for where to find lists of compliant service providers).
- If you don’t need card data, don’t store it: Securely destroy/shred card data you don’t need. If you need to keep paper with sensitive card data, mark through the data with a thick, black marker until it’s unreadable. Secure the paper in a locked drawer or safe that only a few people have access to.
- Limit risk: Rather than accepting payment details via email, ask customers to provide it via phone, fax, or regular mail.
- Tokenize or encrypt: Ask your merchant bank if you REALLY need to store that card data. If you do, ask your merchant bank or service provider about encryption or tokenization technologies that make card data useless even if stolen.
