Remember the public service announcements of the 1970s and ’80s asking parents, “Do you know where your children are?” As a business owner in today’s dangerous business environment, you should be asking yourself, “Do I know where my customers’ data are?”
I had dinner recently with a colleague who was complaining that while traveling in Florida for business, her primary card was compromised and the bad guys ran up $31,000 in transactions at various retail locations around the country before anyone noticed “unusual activity.” While I am sure that many people reading this have had a somewhat similar experience, many may not realize how this can happen.
In this particular case, the victim was an expert in the card-processing arena and was able to zero-in on the point of compromise. She was able to determine that the card data were taken from one of three stores where she purchased something while in Florida.
In each of these three situations the card was out of her possession for a brief period of time. The current thinking from her card issuer is that one merchant’s employee collected her card data (including a mag-stripe read) and transmitted that data to a bad guy who cloned her card and used the clone to run the $31,000 in fraudulent transactions.
As a merchant and owner of the business (and the signer on the merchant processing contract with your credit card vendor), you are responsible for the behavior of your employees. If one of your employees is skimming card data, your business (and possibly you) will end up having to deal with the card brands and local, state or federal authorities to resolve this issue.
No one wants to have to post a message on his or her website or Facebook page like the one I saw recently from a merchant…
“To Our Valued Customers,
In reference to the recent news story featuring us…We take our customers’ security and privacy very, very seriously, and have taken action to assure that any wrongdoings done by this person were brought to the attention of the proper authorities…”
Depending on the severity of the breach, this could very well be a life-ending event for your business.
So, what can and should you do?
As the business owner, you should be aware of how your employees handle consumers’ credit cards and the sensitive data on those cards.
You should not only establish policies that enforce appropriate behavior, you should also perform periodic audits and training sessions. During an audit you, as the owner, should “follow” a transaction from the point that a consumer provides card data to one of your employees all the way through to the point that the card data are no longer available to that employee.
Normally, this is during the sales process when a customer hands over the card and it is swiped through the terminal then handed back to the consumer. In some cases you may have more elaborate processes, but each process should be reviewed and have appropriate security policies crafted.
Employees should be advised that theft of credit card data is a crime that is a felony, and if they see suspicious behavior they should report it to the appropriate person.
Please take a minute and consider where your data are – and who in your business has access to that data. It might be an eye-opening and business-saving experience.
John Mayleben CPP is Retailers Processing Network senior vice president, technology and product development, and a national expert on electronic payment processing. He was the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.