There are risks when your business handles sensitive payment data. Here are six things most don't know about credit card processing.
- Review processing fees and terms before choosing a credit card processor for your small business.
- Processing types impact what type of payment protection is offered to merchants.
- You should consider multifaceted security approaches to protect credit card data for your customer base.
What you don’t know can hurt you when your small business handles sensitive payment data. In fact, being unaware of the risks and responsibilities you inherently assume in payment processing can expose your business to fines, fees and operational upheaval.
Here are six things most businesses don't know about payment processing.
1. You're subject to processing fees and terms.
Small businesses are subject to processing fees from credit cards per transaction. According to the Nilson Report, the average cost of processing fees from top credit card providers ranges from 2.09% to 2.33%. The cost may sound minimal, but it adds up when applied to large purchases.
Processing fees can be assessed using two main models. A business can pay a flat rate or use a tiered system that charges processing fees based on the type of transaction. You can evaluate each credit card processing agency to determine the best fit for your business based on processing fees and terms. The terms may include fee adjustments based on the type of transaction. For instance, card swipes typically incur lower fees than manual entry of credit card data.
Editor's note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.
2. Processing type impacts the level of payment protection.
Most debit and credit cards that were reissued in the United States to include EMV chips in 2015 now include a magnetic strip on the back and an EMV chip on the front. Still, many businesses don't know there are significant differences in payment security when a card is swiped versus inserted into the EMV payment terminal.
When a customer uses the EMV chip card feature, the processing environment utilizes a security measure called tokenization. This process replaces the sensitive cardholder data (i.e., the 16-digit personal account number) with a series of randomly assigned numbers used to process the payment. If the transaction is intercepted during processing or later compromised in a breach, data thieves cannot use the token to commit further fraud or identify the account owner.
3. You are not too small for a payment security breach.
A recent Bank of America report shows that 41% of small businesses have suffered a breach that cost them more than $50,000. First Data estimates that most small businesses that are victims of a payment security breach don't know it occurred until the damage is done. If a breach does occur, mandatory investigative audits of payment security practices cost the average small business about $36,000, according to First Data.
If you are party to a payment transaction found to have offered the lowest level of security, you could be held responsible for costs associated with the breach, including identity protection services for breach victims, the cost of card reissue, fines and legal fees. Merchants who don't accommodate EMV chip cards could be held liable in the event of a payment security breach.
4. You need a multipronged approach to payment security.
Choosing a payment processor that guarantees PCI-compliant payment processing and accommodating EMV chip card technology at the point of sale are two ways to enhance payment security, but you cannot rely on one method in isolation. Your business needs to conduct its own audits to proactively identify vulnerabilities, and potentially adapt those processes as your business grows.
The PCI Security Standards Council outlines the specific protocol merchants should follow based on their volume and type of annual transactions. At a minimum, internal audits of firewalls, networks, hardware and software should take place quarterly, under PCI-compliant processing standards.
5. Not all payment security issues originate with cybercrime.
Not all breaches occur with a sophisticated hack. In fact, Computerworld reports that the 2013 Target payment security breach originated with valid login credentials from the company's HVAC vendor that were not properly safeguarded.
Your internal procedures have a significant impact on payment security. Passwords should not be posted on computers or at point-of-sale systems, should be changed at least every few weeks, and should consist of eight characters, including letters (uppercase and lowercase), numbers and symbols.
6. Your staff plays a critical role in payment security.
One employee's innocent mistake can make or break your payment security and cost your business dearly. Conduct ongoing training sessions to ensure secure payment procedures. For example, customer credit or debit card numbers should never be written down or kept on file.
Mobile payments should be processed only with a secure and password-protected connection, using the mobile payment provider's secure app or provided dongle. The operating system of any mobile device used to process payments should be updated to reflect the most recent version (which is often patched when security vulnerabilities are detected).
Payment security is an important issue for any merchant that handles sensitive data. The more you understand how to provide a secure environment in your technology and internal processes, the less you risk you face as a business.