Guest post: 8 Security Tips for Small Businesses Accepting Payments Online

December 23, 2016 Payments
John Rampton
By John Rampton, Founder, Due
John Rampton
By John Rampton, Founder, Due

If there is one thing that both business owners and customers should agree on it’s ensuring that there aren’t any data breaches. After all, data breaches have impacted millions of customers and have cost businesses millions of dollars. Take, for example, the disastrous breach that Target experienced in 2013. It resulted in more than $252 million in losses for Target, including a $10 million class action settlement and $106 million in reimbursements to financial institutions.

While larger enterprises may be able to absorb such an attack, small business owners probably most likely don’t have the resources to rebound from such a detrimental breach. By following these eight security tips, they may at least have a fighting chance to combat security breaches and confidently accept online payments:

1. Select a secure platform.

Not all eCommerce platforms or payment processors take security as serious as others do. In fact, there are some platforms that go above and beyond when it comes to protecting their customers’ data. For instance, my company Due has made security a priority by using multiple layers of security. My company also adheres to the latest PCI Data Security Standards (PCI-DSS).

Remember, when looking for a reputable eCommerce platform or payment processor; seek out those companies that have solid customer reviews for their security features. Even if that platform is more expensive than lesser-known alternative it’s definitely worth the upfront investment.

2. Stay up-to-date on PCI compliance.

Businesses need to be aware of Payment Card Industry Data Security Standard (PCI DSS). These are a set of standards that require compliance on the part of any business that processes credit card payments. It’s your responsibility to guarantee the protection of your customer’s cardholder data by establishing strong access control measures, such as SSL authentication on your website and Secure Sockets Layer (SSL). Failure to comply with these standards can result in fines and the loss of trust from your customers.

To make sure that you are in compliance, I would take a PCI Self-Assessment Questionnaire. These questionnaires require that you provide “yes” or “no” responses regarding your company’s data security.

3. Stop storing customer’s data.

Here’s one of the most important rules to remember when it comes to security: if you don’t need, don’t store it. However, that doesn’t mean that you can’t store basic information like a customer’s name and account number.

What it means is that you are not permitted to store CVV data, which is the three or four digit numbers on the back of your debit or credit card. While it’s not uncommon to ask customers for their CVV code while processing a transaction, storing those numbers is a big no-no. In fact, PCI has strict standards against storing this type of information. To play it safe, make sure that you don’t store credit card numbers and purge old customer’s records.

4. Keep your networks separate…and encode and encrypt data.

Another effective security measure that you should take is to keep your customer’s credit card information on a different system than the systems that you use, such as the network employees use to access the Internet. This doesn’t just comply to PCI standards, but this strategy also prevents hackers from stealing this sensitive information. In addition to storing your customer’s data in different locations, don’t forget to encode and encrypt this data.

5. Use effective firewalls.

Besides being required by PCI DSS, firewalls are your first line of defense. In fact, Verizon’s 2015 PCI Compliance Report discovered that a whooping 73% of companies who had experienced a data breach did not met the PCI controls for maintaining effective firewalls. Suggested firewalls for small businesses include FireEye, McAfee, FortiNet, Palo Alto, Cisco’s ASA 5505.

6. Consider using multi-factor authentication.

Even if your customers have selected an excellent and secure password, they’re still susceptible to security breaches. That’s why it’s recommended that you implement several methods of authentication, including keystroke or biometric authentication for digital payments. If you’re not equipped to start handing biometrics, then you can use a preselected image or security question that the customers has to recognize or answer in order to proceed. Remember that the more methods you use to verify the customer’s identity, the more difficult it will be for hackers to intercept their data.

7. Keep all of your systems up to date.

It should come as no surprise that out-of-date systems are extremely vulnerable to cyber-attacks. Whether it’s WordPress, Shopify, or your antivirus software, make sure that you install an update as soon as it becomes available. In most cases, these updates occur automatically, but if you want to avoid any potential security disasters, then make sure that all of your systems are running the latest version of the software.

8. Educate your employees.

Did you know that a majority of data breaches are due to human error? That means that, even if you spend thousands of dollars on the latest and greatest security systems, your customer’s credit card information can still be compromised if your employees don’t have the proper training. Inform them about the most common security risks and keep them updated about the latest threats. Most importantly, train your employees so that they’ll never click on unsolicited e-mail attachments, share sensitive information with unauthorized individuals, and never leave USB drives or devices storing sensitive information unattended.

A Vigilant Strategy

On top of doing these things for my company as part of the overall business strategy, I have to remind myself to always stop and take the time to educate myself and stay updated so I’m prepared to make security decisions for my company and assist my staff so they know how to put security first. It’s about being vigilant in fighting these breaches, always staying one or more steps ahead.

About the author

John Rampton

John Rampton, Founder, Due

John Rampton is an entrepreneur, investor, online marketing guru, and startup enthusiast. He is founder of the online payments company Due. John is best known as an entrepreneur and connector. He was recently named #2 on Top 50 Online Influencers in the World by Entrepreneur Magazine and a Blogging Expert by Time. He currently advises several companies in the SF Bay area.

More blog posts by John Rampton