Merchant account security is one of the most important aspects of running a successful business. Worldwide, merchants lose over $9 billion to fraud each year, according to the 2020 Nilson Report. About 33% of merchants are impacted by fraud every year, mostly from phishing, card testing, identity theft, and chargeback fraud. But by implementing the right technology and processes, you can drastically reduce your vulnerability to fraud and ensure customers trust you to keep their payment information safe.
Choose a PCI Compliant Payment Processor
All merchants are required to maintain specific security standards based on the PCI DSS merchant level they fall under. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements for making sure sensitive payment data is protected.
As a merchant, a big part of compliance is making sure you choose service providers that meet or exceed those security standards. Not only is this required if you want to keep accepting card payments, it’s one of the most important pieces of merchant account security.
When looking for a payment processor, be sure to ask what kind of technology and processes they use to keep your data secure. At National Processing, for example, merchants can choose from a range of PCI certified devices and point-of-sale terminals.
Treat Your Password Like a Toothbrush
Treating your password like a toothbrush is a common piece of advice you’ll hear from cybersecurity experts. What they mean is don’t share it with anyone and replace it with a new one every three months. When it comes to strength, you want the electric toothbrush of passwords.
You’ve probably heard the advice to use a mix of upper and lowercase letters or to add numbers and symbols. Those are all great strategies but can make it harder for you to actually remember your own password, especially if changes every three months.
To make sure your password is complex enough but still easy to remember, create your own unique pattern for password creation. Maybe the numbers you add are the date when you’ll change your password next. Maybe the phrase you use is based on something that’s happening within the three months that you’ll use the password like “Golden Gate” if you’re if you’ve got a trip to San Francisco planned.
Come up with your own set of guidelines for creating a password so that even though it’s changing regularly, you’re following a consistent pattern that makes it easier to recall what it is.
Set Up Two-Factor Authentication to Protect Your Merchant Account
Even the strongest password is still not as secure as using two-factor authentication. This is the two-step login method where, after entering your login credentials, you’re asked to, say, input a randomly generated code that was sent to your phone or use fingerprint or face recognition software to confirm your identity.
It’s a relatively low effort step for you and an effective layer of security for keeping hackers out of your account. Even if a hacker steals your password, they are less likely to be able to spoof the code that was sent to your phone or fake your fingerprint.
Be Ready to Respond Immediately to Security Threats
Keep a contact list readily available that includes the phone numbers for your payment processor, payment gateway, bank, and any other service provider connected to your merchant account. If a breach happens, you want to contact all of them right away to make sure everyone is mobilized to damage control and find out what steps you need to take on your end.
Some of the steps you might take include:
- Take all affected devices offline. Malware spreads through systems and networks. But if you can disconnect the device it was initially installed on, you can contain the damage by preventing it from spreading to your entire system.
- Reset all passwords. This includes any employees who might have their own passwords.
- Identify what data was compromised so you can figure out what kind of risks you need to prepare for.
- Identify the weak points in your security system and find ways to patch them so this kind of breach can’t happen again.
Make your data useless to hackers
You’ll need to work with your payment processor and payment gateway to do this, but it’s a powerful method for preventing fraud. Using encryption and tokenization, you can turn sensitive information into useless gibberish for a hacker so that, even if they do breach your system, they can’t use the data they steal.
Encryption uses an algorithm to scramble sensitive data (like a credit card number) into a jumble of unreadable characters. Only those with the decryption key will be able to convert the data back into its original form. Tokenization is similar but it doesn’t use an algorithm. It just replaces each character in the data with a randomly generated character. To convert it back to its original form, you need to access a lookup table that has been encrypted itself and locked behind a firewall.
Both are powerful security measures but tokenization is a little better. Since encryption uses an algorithm, it is possible to “crack the code” and figure out what the original data was even if a hacker doesn’t have the key. It’s definitely not easy but it can happen.
With tokenization, it’s impossible to crack the code because there is no code. Each character was randomly generated independently of every other character in the set. To get the original information, a hacker would need to break past the firewall and then crack the encryption on the lookup table before using that table to convert the data back to its original form.
Frequently Asked Questions about Merchant Account Security
Here are quick answers to some of the most common questions people have about merchant account security.
A high risk merchant account typically has enhanced security measures in place to protect against fraud. In addition to enhanced data protection and security software, those measures might also include things like longer hold periods or higher account minimums. It’s often a requirement for processing payments if you’re a merchant that’s classified as high risk.
When working with some third party payment processors, like PayPal or Square, its common to see your merchant account get restricted or locked with little or no notice. That means merchants often aren’t able to accept payments or withdraw funds until the restriction is removed.
This happens so often because these platforms typically have one large merchant account that every merchant using the service shares. So they’re more sensitive to fraud and tend to restrict accounts quickly at the slightest sign of unusual activity to minimize risk.
Sometimes, the payment processor will send merchants a notice that includes steps for removing the restriction. That might include things like verifying identity or providing additional documentation about your business. In some cases, however, merchants aren’t given any instructions at all. When that happens, the best thing to do is reach out to the processor’s support team for more information.