We’ve all heard the news stories about individuals who have been targeted for credit card and ID theft. It’s a problem that costs millions of dollars a year and consumers can spend months, even years, dealing with the fallout from credit card theft.
But for businesses, the toll can be even more serious. “It can be a death sentence for your business,” says Bob Carr, president and CEO of Heartland Payment Systems, the fifth-largest payment processing company in the country, located at 90 Nassau Street. Carr will speak on “Protecting Your Business from Identity and Credit Card Theft” on Wednesday, September 17, at 7:30 a.m. at the Nassau Club, 6 Mercer Street. Cost: $30. Register by calling the Princeton Regional Chamber of Commerce at 609-924-1776 or visit www.princetonchamber.org.
Carr received both a bachelor’s and master’s degree in mathematics and computer science from the University of Illinois in the late 1960s. “I was one of six people in the school’s first computer science class,” he says. He then became an instructor at Parkland College in Champaign, Illinois, and in 1972 started a software and consulting business for small and mid-sized businesses. His company was one of the first to take merchants from paper credit card slips, which had to be physically taken to a bank for processing, to electronic processing.
Carr’s work in the field led him to co-found Heartland Payment Systems with Heartland Bank in 1997. He bought out the bank in 2000 and took the company public in 2005. Today his company has offices in several states and provides services to over 250,000 merchants.
May I take your card? The biggest risk in a credit card transaction is when the credit card is taken away from the customer, says Carr. An unscrupulous employee can use a skimming device to record the card’s information. This is particularly true in industries such as the restaurant business where a card is often taken out of the customer’s view to another part of the restaurant for processing.
To minimize this particular danger, Carr’s company is testing a pay-at-the-table device in several restaurants throughout the country. “Pay-at-the-table has been easier to introduce in Europe than in the United States because tipping practices are different here,” says Carr. “Many people here are uncomfortable with writing in the tip in front of the server.” However, the new device would greatly reduce the risk to the consumer.
Dialing up. The danger of interception during swiping can also be minimized by using a dial-up system for processing, versus an Internet system. “The risk in dial up is low. If a business is using a dial-up system there is almost no risk of intercepting a card number while it is being sent over a phone line,” Carr says. “The biggest risk with a dial-up system is in internal theft; paper receipts can be copied by employees,” he says.
Internet-based processing systems have greater security risks; card information must be properly encrypted before it is sent through the system to insure that it is not intercepted. There can also be problems with storing data online, he says, but despite the fact that there are more risks involved in an Internet system, it is faster, averaging two seconds per transaction as opposed to seven or eight seconds in dial-up.
While that may seem like a tiny difference, it can add up to a substantial amount of time on a busy sales day, says Carr. In addition, if a company is already using an Internet-based system for inventory and sales records it may not make sense to add a second system just for credit card sales.
Protecting your business. There are several important steps a business owner can take to protect against credit card theft. The most important protection is make sure that you are in compliance with all of your credit card company’s rules. “There are rules for merchants to follow that protect the cardholder. If a business is not compliant with the rules and it has a problem, the business owners is left exposed to some very hefty fines,” says Carr.
Credit card information is divided by security experts in to two categories: data in motion and data at rest. The widely publicized TJ Maxx theft in early 2007, where thousands of credit card numbers were stolen through skimming devices, is one example of data stolen in motion.
But despite the fact that this type of theft often receives the greatest publicity, data at rest is actually the more vulnerable, says Carr. When data is at rest, or stored in a computer system, a thief can at leisure hack through a firewall and steal the information. The best protection from this type of theft is to never store data on an in-house system.
All credit card information should be sent directly to the processing company and stored there. “The credit card company has the resources and the security department that is capable of insuring that the information is kept secure,” Carr says. “A small retail business, like a jewelry store or a restaurant, does not.”
Carr recommends that every business check its software to insure that it is up to date. “Some older software may be storing data and the business owner does not even know it,” he says.
Stay vigilant. The best protection from credit card theft, as from any other type of theft, is to remember that security is not a one-time event, but rather an ongoing process. “Crooks are always getting smarter and new methods for theft are being developed all the time,” he adds.
When credit card theft does occur it makes the news. In the past few years several such stories have taken their toll on businesses, such as a string of gas stations where criminals attached skimming devices to gas pumps and a data breach that exposed over 4 million credit cards numbers to possible ID theft at a New England grocery store chain last year.
“If your company is caught in this kind of publicity it is very hard to survive,” says Carr. Not only is there the possibility of fines and lawsuits, the publicity itself may drive customers away, ultimately killing the business.
The good news for business owners, however, is that despite these highly publicized events, credit card theft from businesses is still relatively rare. “The number of hacking incidents we’ve seen since we started in business in 1997 is minuscule,” says Carr. It is not difficult to make sure that your business is in compliance with all of your credit card company’s rules. “As long as business people understand the risks and how to stay secure they can be comfortable. Credit card security is something to be aware of, not something to lose sleep over.”