7 Tips to Secure Your Retail Store
Even businesses with the best intentions can fail to maintain important security practices in their workflows. If you accept credit cards, you have to consider your customers’ privacy and data security in addition to defending your physical storefront.
We’ll run through seven best practices for securing your retail store. Being smart about your business’s security starts with the people you hire and ends with a robust framework for handling emergencies when they occur.
Hire Smart
You may be tempted to value likability when hiring storefront employees. That isn’t an inherently bad practice, but it should not be valued over integrity. It’s important to secure background checks for all employees you hire, including seasonal workers. Temporary workers are especially suspect as their lack of commitment to the business can result in petty theft and refund fraud.
While you may feel like you’re in a rush to fill a necessary position, taking the time to properly vet your prospective employees is a good way to proactively prevent fraud.
Additionally, you can limit user access to required actions. For instance, your payment technology will commonly allow you to issue refunds. Consider restricting unnecessary personnel from using this feature as a way to reduce the risk of refund fraud.
Minimize Access to Cardholder Data
If just one recommendation sticks, let it be to never store cardholder data at your retail location. It can be a common practice to write down cardholder information to process a payment later or charge a customer in the future. This data should be viewed as a threat that increases with each instance of cardholder data that isn’t encrypted on your premises.
Even if you’re not storing cardholder data on paper or in an Excel spreadsheet, you should think about how cardholder data interacts with your network and workstations. Any business that processes, stores or transmits cardholder data is subject to the Payment Card Industry Data Security Standards, which puts your credit-card-accepting business within scope.
This is a topic to discuss with your merchant service provider. Don’t settle for a vague guarantee that your payment environment is secure, ask how your credit card terminal and computer interact. If native software is installed to use your POS system, you’re within PCI scope and are at a greater risk of a data breach. We recommend segmenting your data so it only flows where necessary (i.e., from the terminal directly to the processor).
Implement Tokenization
We recommend a solution that lacks middleware, connects to the Internet directly and features tokenization, which is an encryption method that swaps sensitive cardholder information for a randomly generated string of characters and numbers that have no value if breached. This token can only be decrypted at the end of the payment process — with the payment processor — which protects your customers’ data as it passes from one provider to the next for authorization.
Inspect Your POS Equipment
There are a few protocols you can put in place to protect your payment hardware and train your staff. First, keep track of all inventory that’s used to process cardholder data. This includes USB swipers and credit card terminals. Create a schedule for inspecting these devices for items plugged into ports, scratches near seams and connection ports as well as any unfamiliar objects attached to the terminal.
Train your staff to spot signs of fraud, both on the terminal and by suspicious customers. If a customer comes in, fails to buy anything, but loiters at your checkout counter, it may be worth taking a few moments to inspect your devices.
Upgrade to EMV
Although many credit card terminals today feature a chip card slot, many don’t work due to a lack of EMV certification. The process to become EMV certified can take years, which is why some providers falsely advertise EMV equipment to grow their customer base in the wake of the liability shift.
If your business has a non-working EMV terminal, upgrade to a certified one now. EMV chip cards boast a proven reduction in fraud, which helps protect both your business and your customers. Furthermore, due to the liability shift noted above, any business that swipes a chip card is now responsible for any resulting fraud-related costs.
Banks are even issuing chargebacks on their own (without customer intervention) to dissuade businesses from swiping chip cards. A signature cannot protect you from these chargebacks or instances of fraud.
Plan for the Worst
Don’t avoid emergencies and pretend that they’ll go away. Before a data breach occurs, draft an emergency response plan. This plan should help you isolate the point of fraud and document steps you’ll take to address the breach with your customers and regulators. With a plan in place, you’re more likely to act in a responsible and thoughtful way that helps retain customers and minimize damage.
Partnering With a Secure Payment Provider
Some of these tips, like hiring smart and inspecting devices, are 100 percent in your hands as a business owner. Others, like your network segmentation, fall into those of your payment provider.
If your payment provider is not PCI DSS Level 1 secure or does not protect against these fraud vulnerabilities, it’s worth your time to reevaluate your partnership and seek other providers. It can feel like a chore, but your business’s success is at stake. A data breach significantly hurts businesses in terms of lost customers and trust as well as fines. Enough instances of fraud can even result in merchant account termination. Without the ability to accept credit cards, your business may not survive (and likely won’t grow).Take the time to look into secure payment providers that offer cloud-based, EMV-certified equipment, tokenized data storage and assist in your PCI DSS compliance.
About the Author
Christina Lavingia delights in crafting content that helps business owners fight fraud, reduce risk and process payments with ease. PayJunction is a leader in green payment technology and integrates with RetailOps as a merchant account provider and payment gateway.