How to protect your customers and your company against fraud
Editor’s note: This article is provided for your information by Veracity Payment Solutions, provider of the American Rental Association (ARA)-endorsed Merchant Services Program. More information about the program for ARA members is available online at ARArental.org under “Members,” “Business Resources” and “ARA Endorsed Merchant Services.”
The recent data breach at Target stores, where credit and debit card data for about 70 million customers was accessed, has banks and processors reemphasizing the all-important aspect of security in the world of credit and debit transactions.
As technology advances, so do the abilities of fraudsters. Cyber-attacks and point-of-sale (POS) breaches are becoming more common, regardless of the size of a business. All merchants that accept credit cards must do everything possible to protect their customers — and themselves — against fraud.
Increasing the level of awareness for merchants on security issues is one important step toward reducing vulnerability. To this point, the importance of maintaining yearly PCI compliance is fundamental. Not only that, it is required by card brands in order for a business to accept payments with their cards. If not certified, merchants can incur serious fines and put themselves at risk for appearing complacent should they be threatened with a lawsuit as the result of a breach.
- Is a set of standards that applies to all card scheme members, including issuers, acquirers, merchants and service providers.
- Dictates how cardholder data may be stored, processed or transmitted, and the systems, policies and procedures that must be used for managing cardholder data.
- Has moved to a position of prominence; compliance must be validated on an annual basis.
Regardless of PCI compliance, credit card companies are imposing fines for breaches to cover the cost of fraudulent purchases from compromised cards. Some companies, like Veracity, offer insurance against data breaches that covers many losses, including fines levied by card companies, costs of audits and investigations, and replacement of compromised cards.
It also is vital merchants remain proactive when it comes to guarding customers’ data. Protecting point-of-sale (POS) equipment should be at the top of the list. Because your POS terminal records each transaction, sends transaction data to your payment processor for authorization and completion, and tracks customer preferences, it is a valuable source of information for hackers.
In addition to basic features you look for when considering which system to use — versatility, reliability and scope — there are security measures you should take to ensure the safety of the data you are processing with it.
- When you get a POS system, set your own administrative passwords immediately. Change them frequently, at least every 30 days.
- Be selective about who has access to passwords. Only allow access to employees who must have it.
- POS systems that browse the Internet are more susceptible to breaches. Take extra precautions.
- Never use a device that is not Payment Card Industry Data Security Standard (PCI-DSS) compliant and be sure to stay compliant by renewing annually.
- If your business has multiple locations, ensure the passwords are different at each one. Don’t make it easy on fraudsters by giving them access to all the equipment in various locations with one set of credentials.
- Check your POS device regularly to ensure that no skimming devices have been added.
There also has been a surge in card-not-present (CNP) fraud via micro attacks (card testing), shipment fraud, e-commerce fraud, identity theft and card counterfeiting.
Here is a list of common fraud schemes that affect all environments:
- Phishing — Using websites, email links, and text and audio messaging to spoof a legitimate source and trick victims into giving away confidential information.
- Social networking — Ignoring privacy settings, users post photos and personal details or follow links that lead to compromised sites.
- Malware — Infected PCs are trawled for personal information, including passwords, or used to generate bogus alerts and sign-on information. This software also is finding its way onto POS terminals.
- Skimming — Originally found on ATMs, skimming devices that steal card details are now found at gas stations, on POS terminals and on portable devices in restaurants.
Data security is complex and ever-changing but regardless of the size of your business, it is paramount. Work with your credit card processor to protect your business and your customers’ information.
For additional information on data security, visit pcisecuritystandards.org or veracitypayments.com.
Don’t forget about mobile security by John Sileo
When you look at the impact wireless gadgets have on your bottom line, I’m not referring to the unproductive hours you spend on Angry Birds. I’m talking about mobile security.
Think about the most indispensable gadget you use for work — the one without which you cannot survive. I’m taking a calculated guess here, but I bet your list doesn’t include a photocopier, fax or even a desktop computer. Business people have become highly dependent on digital devices that keep them connected, efficient, flexible and independent no matter where they are. In other words, we are addicted to our mobile gadgets: iPhones, Droids, BlackBerrys, iPads, tablets, laptops and the corresponding
Wi-Fi connections that link us to the business world.
To stay nimble and ahead of the game, we must be able to respond to any request, such as a call, email, social media post or text message, research anything including a client’s background and solutions to a problem, and stay current on what’s happening in our field of influence, like breaking news and tweets even when we are out of the office.
However, the same gadgets that give us a distinct competitive advantage, if left unprotected, can give data thieves and unethical competitors a huge and unfair criminal advantage. The net result of organizational data theft can be devastating to your job security, your bottom line and your long-term reputation. The solution is to proactively protect your mobile office, whether it’s digital, physical or both. Mobile security is not optional.
If you own any of the gadgets listed above and use them even in minor ways for work, like checking email, surfing and social media, then you have a mobile office. Smartphones and tablets are more powerful than the desktops of just three years ago. Laptops are the bull’s eye for data thieves, though their attention is moving quickly to smaller, easier-to-steal gadgets. If you work out of your car, travel for your company or have a home office in addition to your regular workplace, you are a mobile worker.
Ignoring the call to protect these devices is no different than operating your office computer without virus protection, passwords, security patches or even the most basic physical protection.
If you do nothing about the risk, you will get stung and, in the process, may lose your job, your profits and potentially even your company. The threat isn’t idle — I lost my business because I refused to acknowledge the power of information and the importance of protecting it like gold.
To protect yourself and your company from becoming victims of mobile data theft, start with these critical steps to defend your mobile gadgets:
- Make sure that employees aren’t installing data hijacking apps on their smartphones and tablets, thinking that they are harmless games. A chess app was pulled from the Android Marketplace because it was siphoning bank account logins off of users’ smartphones.
- Implement basic mobile security on all mobile devices, including secure passwords, remote tracking and wiping, auto-lock, auto-wipe and call-in account protection.
- Only use protected Wi-Fi connections to access the web. Free hotspots are constantly monitored by data sniffers looking to piggyback into your corporate website.
- Don’t ignore non-digital data theft risks like client files left in cars, hotel rooms and off-site offices. The tendency to over-focus on digital threats leaves your physical flank, such as documents, files and paper trash, exposed.
John Sileo is an author and speaker on Internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on “60 Minutes,” “Anderson Cooper,” “Rachael Ray” and Fox Business. He may be reached at 800-258-8076 or visit sileo.com.
The risk of fraud by Chuck Gallagher
You may be more vulnerable than you think
We hear a lot these days about identity theft, Internet fraud, email scams or Wall-Street defalcations, but the truth is most organizations are more vulnerable to fraud than they might think. Whether it is a church, a nonprofit or a small business that you’ve put blood, sweat and tears into, the chance that you’re at risk for fraud is substantial.
Regardless of the type of organization, most fraud takes place from within the company’s own ranks and, more times than not, by trusted individuals that we would never suspect.
By their nature, small businesses, nonprofits or associations are typically run on a shoestring budget, which makes staffing tight and internal controls limited. While most people are trustworthy, external factors can create a need that, when combined with opportunity and a dose of rationalization, can create the potential for unethical and fraudulent activity.
When the perfect storm of fraud hits and the illusion fades into reality it becomes clear the devastation that fraudulent activity creates. Every choice has a consequence and the consequences of fraud are significant and far-reaching.
According to the Association of Certified Fraud Examiners the following are red flags for fraudulent behavior:
- Most fraud is committed by people who have worked in the organization for a number of years. People who have 10 years or more of experience with the organization cause higher fraud losses. Why? The longer a person is employed within a company, the greater the trust and responsibility. Likewise, trusted employees are not often considered candidates for fraud.
- Individuals in one of six departments commit the vast majority of all frauds: accounting, operations, sales, executive/upper management, customer service and purchasing. If fraud occurs in your business, it is likely by someone who has opportunity. Individuals in these six areas have the greatest opportunity to violate trust.
- Fraudsters displayed one or more of these red flags before or while committing fraud: Living beyond their means, having financial difficulties, creating unusually close association with vendors or customers, and excessive control issues. Any of these behaviors could be a sign of impending danger.
Excessive control is a significant sign that something might be amiss. When people are unwilling to let go of their control, take a vacation or insist that only they can do the task, leadership should step back and examine the role and function more carefully.
Management has a responsibility to understand the three components of unethical behavior and often-illegal behavior: Need, opportunity and rationalization.
As a manager of your organization, ask yourself, “What steps am I taking to protect my most valuable assets — my employees — from making dangerous decisions that impact them and my organization?”
Chuck Gallagher is president of the Ethics Resource Group and an international expert in business ethics. He provides training, presentations and consultation with associations and companies on ethics and creating ethical cultures where people do the right thing, not because they have to, but because they want to. He can reached at 828-244-1400, email firstname.lastname@example.org or visit chuckgallagher.com for more information.