Existing payment trends make one thing clear: Cash is on its way out. A 2020 Worldpay, Inc. study predicts that point-of-sale (POS) cash payments will drop from 30.2% of sales to just 18.7% by 2023. While carded payment processing (both online and in brick-and-mortar stores) can lead to more revenue opportunities, however, they also pose security risks that don’t exist with cash at POS.
Businesses that lean heavily on digitally-focused payment processing systems become a target for cybercriminals looking for an easy score. Data breaches can cost $200k or more—enough to destroy most small businesses. Whether you accept payments online or through a physical POS device, hackers and cybercriminals can take advantage of flaws within these systems.
As your business expands its reliance on payment processing, consider the risks associated with accepting payments through websites and apps, or through modern, internet-connected POS devices.
Utilizing E-Commerce? Beware Of Malware, Cross-Site Scripting, And Credential Stuffing
It seems natural to trust your merchant payment processor to handle the heavy lead on security. Merchant payment processors like PayPal, Stripe and others process customers’ credit card information via a secure connection to the merchant’s services.
Yet although this process limits your exposure to potential security risks, it doesn’t eliminate it. Using various techniques, hackers can steal customer names, email addresses and credit card data before, during or after checkout. Your business should be concerned about these threats in particular:
- Malware: Malicious files designed to steal data can be installed onto your website through a variety of means.
- Cross-site scripting: By using vulnerable or compromised web applications, hackers can inject malicious scripts onto your otherwise-secure website to steal data.
- Credential stuffing: Hackers with your customers’ username and password combinations can gain access to user accounts to steal information, steal accounts, or make unauthorized purchases.
And although it’s a bit out of your hand, you should consider the impact phishing websites can have on your businesses’ reputation. In this method, cybercriminals create a copy of your website that looks real enough and divert potential customers to that site. They can then gather login credentials or payment information from those individuals who believed the website was actually yours.
POS Systems And Devices Hold Security Risks For Brick-And-Mortar Purchasers
Your POS systems are far more secure against attacks than your website or mobile app, but they aren’t invulnerable. Modern, internet-connected POS systems are essentially computers with all the same vulnerabilities as any other device. Malware threats and illicit access through internet ports are both possible.
This is exactly what happened to Target several years ago. Hackers took advantage of one of the store’s third-party vendors in a sophisticated, roundabout way to gain access to its network of POS systems. From there, the hackers installed malware that stole around 40 million customer credit card accounts.
Small businesses think they can breathe a little easier knowing they aren’t as big a target as Target. But every modern POS system could be connected to the internet and broadcasting its purpose. So they’re actually at a higher risk as their false sense of obscurity could mean they’ve not invested enough in their security.
Steps To Shield Payment Processing From Cybersecurity Threats
Reverting to a cash-only operation is likely out of the question. So invest in strategies that protect customer data, reduce how much data you collect, and minimize your overall presence to cybercriminals.
Step 1. Protect Customer Data With Multi-Factor Authentication (MFA).
MFA is a critical, modern protocol that requires account users to verify their identity using a separate device or account. This can come in many forms, such as biometric data (fingerprints or facial recognition), authentication apps or even a simple text-messaged code. (Use caution with the text-message code. If a person’s cell phone gets stolen, it could be set to display text messages without having to unlock the device.)
Research from Google finds that even simple two-factor authentication can prevent 100% of automated bot attacks, 99% of bulk phishing attacks (e.g., credential stuffing) and 90% of targeted attacks.
Some businesses are apprehensive about employing multi-factor authentication for fear that it will drive away customers; this is understandable. The key to effective MFA is using a fast system that doesn’t require users to re-authenticate too frequently.
One more note: Don’t just use MFA with your customers. Require it for your workers’ accounts as well.
Step 2. Protect Data By Phasing Out Unsecure Payment Processing Methods.
As simple as this may sound, many small businesses still collect credit card details via email when making sales. If your business is still doing this or using other unencrypted methods, it’s time to stop. Immediately. Hackers that gain access to your business email or databases will have free rein to any information they find.
This brings us back to third-party vendors. A trusted merchant payment processor minimizes your exposure and the amount of personal data you collect by handling the data for you. Many businesses use merchant processors such as PayPal and its competitors for this reason alone.
Customers making online payments sign into their merchant account where their card data is stored. The payment is processed via the merchant processor, while your business is left unexposed.
Step 3. Protect Customer Data By Securing Your POS Devices.
If your brick-and-mortar operation uses modern POS systems, those devices are connected to the web and can be a point of exposure. Limit that exposure by installing antivirus software, turning on device encryption (available on most modern POS systems), establishing strong network passwords and protocols, placing them behind a firewall, and restricting their use to only POS activities. Also ensure they are regularly updated with the latest security patches and firmware.
Also note that your POS devices are physical—and therefore not tamper proof. Establish security procedures with your employees to ensure others aren’t installing malware on these devices while their backs are turned. And keep your POS hardware and software updated. As with any computer, outdated devices are more prone to malware infection.
Step 4. Protect Customer Data By Teaching Your Employees About Good Data Protection.
Whether by malicious intent or accident, your employees are the biggest risk factor in a data breach. Everything from leaving devices unsecured and open to clicking phishing links could expose your business and customer data.
Teach employees best practices in data security. If necessary, hire an outside firm or company that can help you in this effort. When employees understand what a potential threat looks like, they’re more likely to avoid it.
You should also minimize the amount of access employees have to customer data. Following the rule of least privilege, grant an employee access to only the information they need to do their job. If an employee’s computer gets compromised, limiting their access to data will slow the attacker and minimize the damage. And, although we trust our employees, internal data theft is a very real problem that we cannot ignore. This can be somewhat mitigated by outsourcing card processing to a third-party vendor (as mentioned above). But again, make sure the vendor you use can be trusted and maintains high standards for sensitive data security.
Step 5. Limit Data Collection And Protect Data With Third-Party Vendors.
Third-party payment processing vendors have unprecedented access to business customer data. When they use poor security practices, it leaves this data highly exposed to theft. Over 40% of business data breaches involved a third-party vendor in some way. Properly vetting your vendors and only using those that employ strict data security policies can significantly reduce your payment processing system security risks.
The vetting process may not be simple if you’re not sure what effective data security looks like. Small businesses don’t typically have an IT security department or professional to answer those questions for them. However, you can hire an independent security professional or company specializing in helping small businesses navigate this process.
Nevertheless, trustworthy third-party vendors are an excellent shield between your business and data collection. They’re an excellent way to maintain customer data that you can hedge without actually collecting or storing yourself. Just make sure to budget more money for better quality vendors if you can. Lower-cost third-party vendors could skimp on security tools and infrastructure.
Step 6. Minimize Exposure To Threats By Beefing Up Website Security
Even with a trusted payment processing third party collecting and storing payment information, your website can still be a point of weakness. So take additional steps to secure this vital part of your payment processing setup:
- Audit and update backend apps, especially if you’re using WordPress or other plugin-based content management systems.
- Upgrade to SSL or TLS website encryption. This type of encryption keeps hackers from being able to steal data being transmitted to and from your website. Not sure if the site you’re using is secure? Check for a green lock symbol next to your web address. Although encryption is most critical on login and checkout pages, it’s best to apply it sitewide.
Cybercriminals and hackers search for websites (and especially payment processing pages) with minimal site security. While they’re more likely to attack large enterprise businesses where the payoff is bigger, they know smaller businesses tend to spend less money on security. If your website is well protected, it pushes your businesses farther down their priority list.
The idea of building out your website security on minimal funds is not without precedent. Given the risks, however, it’s a worthy investment. Thankfully, many website security costs are tax deductible as ordinary business expenses. Work with a qualified business tax CPA to make sure you’re taking advantage of every break that applies.
We also recommend hiring an experienced technology solutions consultant when taking steps to secure your payment processing system. Cyberattack methods are constantly evolving, and these professionals keep up with the latest developments. Their knowledge can help ensure your business—and your customer data—is well protected against these threats.