These are not isolated cases. Merchants large and small have been victimized, and, in turn, have unintentionally victimized their own customers. And yet, all could have taken steps to protect their customers’ data – and their reputations – with the latest in encrypted swipe technology and other common-sense safeguards to bolster end-to-end security. They would have removed the threat of customer losses and potentially hefty fines for safety non-compliance.

The Scope of the Problem

Credit card compromise occurs when an unauthorized party takes advantage of a flaw in a system that processes, transmits or stores cardholder data. Level 4 merchants – those with the fewest annual credit card transactions – are at the greatest risk of compromise. And more than half of fraud cases involve merchants in the food service industry.

Think of POS data security as a chain link fence. There are multiple areas of vulnerability – an interloper might go over the top, or look for a weak spot, or crawl underneath. A data security compromise is much the same. The crime can occur at any point in the transaction process – from point of service to back-end processor – but 71 percent of the time it takes place at the hardware POS terminal. Right there on the counter of the store or restaurant.

From packet sniffing software to malware on store servers, to crooked employees, there are a whole range of threats to merchant transaction security. The smaller merchant is at enhanced risk because of factors ranging from improper installation or the use of older software to a lack of computer security sophistication. Whatever the cause, the mom-and-pops can be subject to outrageous fines passed down from the card company to processor to retailer.

As an example, the card processor passed its $27,000 fine for the breach at the California restaurant/microbrewery to the merchant – a dollar sum that equaled five days’ sale of food and beer. (Wall Street Journal, 9/22/07 “In Data Leaks, Culprits Often Are Mom, Pop”).

Often, the problem is system installation that disregards Payment Application Data Security Standard (PA-DSS) protocol. The improperly installed software package might be storing track data – a security no-no – that’s later illegally accessed. For instance, the California restaurant/microbrewery was discovered to have inadvertently stored account data on nearly 12,000 customers. That’s not as shocking as it sounds. A recent survey by VISA and the National Federation of Independent Business found that 52 percent of businesses with fewer than 250 employees were storing such sensitive data as credit card customer names, account numbers, expiration dates and security codes.

The Case for Encrypted Swipe

While full Payment Card Industry Data Security Standard compliance is an excellent start, it’s not enough. A lock on the gate does little good if a section of chain link is knocked down a few feet away. The PCI mandates that credit card data must be encrypted when stored or being transmitted, but the information can still sit unencrypted within the merchant’s private network, at the card reader, while awaiting authorization.

With encrypted swipe, the data on the card’s magnetic strip is never available to prying eyes. The user is offered end-to-end protection, from point of swipe to point of acceptance. MagTek, a leading provider of encryption technology, has partnered with Payment Processing, Inc., to offer data encryption in a POS terminal bundle. The result of such seeming redundancy is a system so protected, the cyber-criminal will be more prone to look for easier pickings. Why climb the chain link fence with razor wire at the top when you don’t have to?

Simple Steps to Safety

When used in conjunction with encrypted swipe technology, these steps will help your customers ensure the safest possible POS environment:

• Make sure the POS system is PA-DSS compliant. The Payment Application Data Security Standard is endorsed by the five major payment card brands to ensure that payment applications don’t store sensitive card data and don’t have flaws that draw hacker attacks. Learn more about compliancy at www.pcisecuritystandards.org.
• Make sure the software is installed in a PA-DSS compliant environment
• Select a trusted payment processing partner. The company providing the retailer’s merchant account should be listed as PCI compliant.
• Consider taking the extra precautionary step of signing up with a Qualified Scanning Vendor (QSV). These security experts will analyze your POS system, subjecting it to every feasible attack vector. If the application can be breached, the QSV will breach it. Based on the findings, the QSV will help bring the application compliant with Payment Card Industry Data Security Standards.

Build Your Fence

No system is foolproof, and the most difficult challenges often become the targets of the most determined hackers. But if you can easily and inexpensively install a POS solution that acts as a very high chain link fence – and is installed in collaboration with other security features to protect customer credit cards– only one question remains.

Why wouldn’t you?

Retail businesses that are planning to buy a POS system often make the mistake of purchasing POS hardware before POS software. The selection of your POS software is the most important aspect of purchasing a point of sale system. The POS software you choose must take into account how you do business and provide all of the functionality that your type of retail store requires. For example, many store types such as consignment/thrift stores have a number of industry point of sale software packages specifically designed for that type of business.

It is also critical to understand that not all point of sale software and hardware are compatible. Make sure to buy your point of sale software first and then select hardware from the approved hardware vendor list provided by your point of sale software developer. In addition, selecting a point of sale software that is easy to use is important. Many POS software companies offer free demo programs, inquire about how you can test out their pos software.

How Will You Process Credit Cards?

Most point of sale software companies have options for selecting integrated payment processing or have established relationships with payment processing vendors their software is authorized to work with. Not all point of sale software and credit card processing vendors are compatible either, so ask your point of sale software provider who they recommend for payment processing. And remember, credit card processing is a competitive industry, so make sure you compare rates and fees to ensure you are getting the most affordable processing rates and fees possible.

After Sale Support and Hidden Costs

What happens when your point of sale system crashes? Do you have a local point of sale reseller that offers fast and reliable phone or onsite technical support? Do you know what they offer in terms of typical response time, replacement units, or repair capabilities?

While getting a down POS system up and running is critical, it is also important to understand what the total cost of ownership is for your point of sale system. The original purchase price is one aspect of the total cost, but the ongoing maintenance and service costs must be accounted for as well. Make sure your contract clearly states what your rates are for technical support and repair services.

Don’t Wait

While many new retail store owners are busy tackling a number of issues before opening day, training and implementation of point of sale and credit card processing technology often gets pushed to the back of the to do list. Make sure you set aside ample time to do training and testing with your employees before your store opens. Nothing will deter repeat business more then not being able to check out waiting customers!