If you are a business-owner and your business accepts digital payments, it is important to have security steps in place to ensure your customers' information is safe. For more than 50 years, Visa has partnered with merchants to deliver reliable, secure, and convenient payment options. As one of the world's leading payment brands and one of the largest payment systems worldwide, Visa is a powerful tool for attracting new customers and opening doors to stronger sales.
Below are some quick tips to get you started.
Know the Who, What, Where of your sensitive data
- Make a list of the type of customer and card information you collect and store - names, addresses, identification information, payment card numbers, bank account details and social security numbers. It's not only card numbers criminals want; they're looking for all types of personal information, especially if it helps them commit identity fraud.
- Ask yourself, where do you keep this information and how is it protected?
- Determine who has access to this data and if they need to have access.
If you don't need it, don't keep it
- Once you know what information you collect and store, evaluate whether you really need to keep it. Businesses may not realise they're keeping unnecessary data until they conduct an audit. Removing and destroying sensitive data from storage makes it harder for criminals to steal it. Work with your bank or payment processor if you are unsure what data to keep or delete and ask if they have any rules governing data storage that you should be aware of.
- If you've been using card numbers for purposes other than payment transactions, such as a customer loyalty program, ask your merchant processor if you can use tokenisation instead. Tokenisation is technology that replaces card numbers with an alternate number that can't be used for fraud.
When you choose tools or services, make sure they're secure
- The payments industry maintains lists of hardware and software providers that have been validated against industry security requirements. The list can be accessed through the PCI Council here.
- Visa also maintains a list of service providers that have been validated against industry security requirements. That list can be found here.
- If you outsource your payment application and/or network installation and maintenance, have a conversation with your third-party integrator or reseller about security and ask if the payment software installed is compliant with the latest version of the Payment Application Data Security Standard (PA-DSS).
- Isolate payment systems from other, less secure programs, especially those connected to the Internet. For example, don’t use the same computer or point of sale system to process payments and surf the Internet.
- If you use a computer at your business to handle cardholder data or facilitate payment card transactions, make sure you install an anti-virus program and update it regularly. If your business has an outward-facing Internet protocol address (these are Internet-facing entry points to your network), it also is essential to implement a firewall and conduct quarterly vulnerability scans.
- Control or limit access to payment systems to only employees who need access.
- Make sure you implement remote access applications securely or eliminate remote access if you don’t need it so that criminals cannot infiltrate your system from the Internet.
Take advantage of security tools and resources
- Work with your bank or processor and ask about the anti-fraud measures, tools and services you can use to ensure criminals cannot use stolen card information at your business.
- Consider using encryption or tokenisation to help secure payment data and minimise its value to data thieves.
- For e-commerce merchants:
- We recommend that merchants verify the CVV2 code. The CVV2 is the three digit number on the signature panel that can help verify that the customer has physical possession of the card and not just the account number.
- Merchants can also use Address Verification Service to ensure the cardholder has provided the correct billing address associated with the account.
- For an additional layer of security, merchants can use services such as 3-D Secure, which prompt the cardholder to enter a personal password confirming their identity.
- Companies such as CyberSource, a Visa company, can help by providing fraud management solutions and support for online merchants.
- For brick and mortar merchants:
- Merchants need to ensure their payment terminals accept EMV chip technology.
- EMV chip technology introduces unique dynamic values for each transaction, making account data less attractive to steal.
Resources
While small businesses often lack in-house support for securing their customers' payment information, there are a number of online resources that can help:
- Visa's PCI DSS Data Security Compliance Program: www.visa.com/cisp
Take advantage of Visa services intended directly for you, such as:
Visa Distribution
This is an outsourcing tool that helps merchants streamline and accelerate their accounts receivable process. With Visa Distribution, merchants collect payments from retailers faster, allowing them to improve cash flow while reducing overhead costs and risk.
Account Information Security (AIS) program
Build trust and confidence with your customers through the AIS program which is designed to protect sensitive account and transaction information throughout the Visa acceptance environment. The program aims to eliminate unnecessary data storage, and ensure that entities that store, process or transmit Visa cardholder data are doing so securely in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
3-D Secure
Visa provides protection for online merchants through 3-D Secure. This service can provide significant savings in fraud-related costs, ensuring that merchants are not liable for fraud resulting from the unauthorised use of Visa cards.
CyberSource
CyberSource is more than a global payments gateway -- it is a payments management company. CyberSource provides a complete portfolio of services that simplifies and automates payment operations. Customers use CyberSource to process online payments, streamline fraud management, and simplify payments security.