Women’s clothing and accessories company Bebe announced last month that it recently detected what it called “suspicious activity” on the computers that run its payment processing system.
Bebe’s announcement adds one more event to a growing list of data security breaches. Target, Home Depot, eBay, and many others have all been the target of data hackers.
For their part, consumers have trusted that if their data is compromised in one of these attacks, their bank will not hold them liable for fraudulent charges made with the stolen information.
But what about your dealership? Could you be held liable for purchases made at your dealership with stolen information?
The answer is: yes. In some situations, you could be held liable. But before you get worried, I want to show you, in most cases, these costs are avoidable.
Here are steps you can take today to avoid being held liable for fraudulent charges in your dealership:
1. Get and Stay PCI Compliant
Do you know if you are PCI compliant? Payment card industry compliance is a big deal and is mandated for all retailers by the Global Payment Card Industry Security Standards Council. Staying compliant may seem like a major headache to you, but is necessary to help protect both the card issuer and the retailer, and help you avoid fees assessed for non-compliance.
Many processors offer programs to help you. They consist of questionnaires, quarterly scans, and support in addressing areas of vulnerability. Many processors even offer breach guarantee programs.
Reach out to your processor to see how it can help you stay PCI compliant.
2. Be Ready for EMV
EMV is a new type of payment card here in the U.S., but has widely been seen as the standard for several years in Europe and Asia. It is named after its developers: EuroPay, MasterCard, and Visa.
These credit and debit cards have a small embedded microprocessor chip, which contains dynamic information about the owner. These chips, along with the holograms on the cards, make it much harder for thieves to use and duplicate them.
Instead of swiping EMV cards, you insert them into the bottom of the payment terminal. It stays in the machine for the duration of the transaction.
You may not see a lot of EMV transactions being made today, but Visa, MasterCard, Discover, and American Express have set October 1, 2015, as their deadline for when retailers must start accepting EMV cards. The liability for fraud will shift from the credit card companies to retailers if customers use an EMV card, but the retailer isn’t able to accept it.
3. Keep Data “Out of the Clear”
Old payment technology encrypted payment card data at the application level – meaning a card was swiped, the sensitive card information was sent to a computer, and a business application encrypted the card information. This process puts the payment card information “in the clear.” In other words, hackers could grab that information before it was encrypted.
Today, technologies exist that encrypt card data at the “point of swipe,” guaranteeing your data is never “in the clear.” You want to make sure your equipment is up to date to further reduce your risk.
4. “Tokenize” Your Stored Payment Data
If you shop online at Amazon or other large retailers often, you may notice when you go to checkout, your credit card information is already there. All you have to do is select “Pay Now.” This is an example of tokenization.
Tokenization works by creating a “token” in your system assigned to a specific credit card in your processor’s data vault. When a purchase is made, the token requests the payment data to complete the transaction.
The good news is tokens stolen by hackers are useless. The card data is still stored in the processor’s vault and cannot be accessed.
Bottom line: Resources and technologies are available to help you avoid credit and debit card fraud. The key is to be proactive in protecting yourself.