I’d really like to address a potential huge liability for our
industry and the people in it. As we all know there’s been a huge
effort to secure credit card data from the issuing perspective.
There have been some highly publicized hacks that have led to lots of
action to stop the problem. The security issues we seem to hear
about most don’t really involve most of us. We couldn’t do anything
about them even if we wanted to! However, I’d like to bring up some
HUGE security gaps that touch almost all of us everyday. I’ll also
mention some simple things that we can do to mitigate the problems.
I’m talking about the security of the merchant’s personal data put on
the merchant application. As we hear every day, one of the fastest
growing forms of fraud in the U.S. is identity theft. This is where
someone uses the personal information of another to get credit and
purchase merchandise in that person’s name. You can bet the bad guys
have no intention of making any of the payments for merchandise
bought under assumed identities, leaving the real person holding the
bag. What you’re probably starting to realize is that your standard
merchant application and voided check is everything that a scam
artist needs to perpetrate such fraud. Actually it’s everything
they need, plus a bunch of bonuses. Think about what your standard
merchant application is likely to contain: the merchant’s social
security number, a home address, his birthday, bank account and
routing numbers, his signature and a number of other details that
fraudsters would find useful. Now, think about how merchant
applications are handled and the process with which you and your
staff treat them.
When I first started in this business it was simple. We used to
write an application and ship it to the processor for approval. I
didn’t keep a copy and I’m fairly sure that the original was kept
safe once the processor received it. (wink, wink) Now, with the
advent of faxed, PDF and web-based applications all that has
changed. Now we may write a merchant application, fax it to the
processor and file the original at our home or office. We’d be
foolish to think that there are not people who either immediately or
eventually throw these documents in the trash. This is a big NO NO.
You’d better buy or use a shredder to dispose of these
applications. While they are filed we should make some effort to
secure them in a locking-type file cabinet or box. Just because they
are in your house or office doesn’t mean that your cousin Leroy’s
girlfriend who’s spending the weekend, or, more likely, a temporary
employee can’t get their hands on them. So to be simple, lock them
while you keep them and shred them when you throw them away.
Next, I want to talk about emailed applications. Sometimes we will
fill out a PDF application or scan a paper application and email it
to our processor for approval. NEWS FLASH - email is NOT SECURE.
When you send an email to your aunt Rosey with pictures of your kids,
that email goes out and is stored in a lot of places before Aunt
Rosey gets it. Anyone along the way can read your email and look at
pictures of your kids. Also, that email is normally saved somewhere
on the computer that sent it and computer that received it. So now
we have to ask ourselves “who has access to each computer?” Who at
home or at the office could look at your computer? Can Leroy’s
girlfriend, or the cleaning crew copy your files? Does your
computer contain spyware or Trojans that let other people view
content on your computer? What do you do with the computer when it
breaks or you get a new one? These are all important questions that
once identified and mixed with a little proactive activity from you
can make a HUGE difference.
First, make sure the user settings on your PC require a password for
log in and most importantly make sure others don’t have this
password. Try not to share your PC with anyone even if you have
separate passwords. Second, when emailing applications, try securing
them with a password that the processor needs to know to open or
unlock them. Both Word and Adobe have the ability to password
protect a document before you email it. That way if someone else
views the message it’s far more difficult for him or her to view the
application. Don’t write things in the body of the email that you
wouldn’t want the world to see. I’ve had reps email me their bank
account and routing #’s. With that information a criminal could
clean out their account. There are free encryption programs
available that can make your emails readable only to those with the
key. Keep your virus protection program updated and get one if you
don’t have one. Get a good spyware or adware blocker that will
prevent hackers from viewing information on your computer. Last, be
aware of what happens to your computer when you outgrow it. Make
sure you reformat the hard drives and reinstall the basic system
software. If the computer is not working, take the hard drive out
and physically destroy it.
In the end, if this information is compromised and it’s traced back
to you, YOU ARE LIABLE. This could mean HUGE fines and HUGE
lawsuits. With this in mind, here are some suggestions, things we do
in our office to protect merchant data. They are simple and
inexpensive. First, each computer requires a user ID and password to
log into.(FREE) People can give out the passwords so we immediately
change them when someone leaves. (FREE) No one is allowed to type
sensitive information in the body of an email. That includes social
security numbers, account and routing numbers, credit card numbers or
any of our company passwords and ID’s. (FREE) Next, any applications
that contain sensitive information are password protected using Adobe
Acrobat as soon as we create them or receive them. (ADOBE $150) Any
paper applications are immediately scanned, password protected and
then the paper copies are either destroyed or secured in a locked
cabinet.(CABINET $100) All of our computers have Norton Antivirus
Corporate Edition and are kept up to date. (NORTON $75) We use and
keep up to date free spyware and adware programs on all our PC’s. We
use spybot and spyware blaster. (FREE) Whenever one of our PC’s has
to go off premise for maintenance we back-up and reformat (erase) the
hard drive. (FREE) Last, I’ve had a lot of fun taking old hard drives
out in the back yard and using one of my rifles or handguns to blast
them to pieces. (BULLETS $2.50) Sometimes I draw little faces on
them, although I won’t say who they represent. (You know who you are). 
|
