In light of the numerous highly publicized data breaches in recent years, security has rightfully taken on a larger priority for businesses. A data breach can result in significant legal, financial and reputational consequences. So, what should clubs be doing to better secure their network? What different components are involved? How much will it cost?
The point of this article is to serve as a quick “how-to” guide for club data security. In today’s nonstop club environment, conducting business should be simple, secure and seamless. Strengthening data integrity is easier than you think, and will not only protect you and your members from compromise, but can reveal significant everyday savings and improved operational efficiencies.
PCI Compliance
It’s important for clubs to have a clear perspective of their processing landscape. Every payment point is a possible access path for hackers. The more people involved in your transaction path, the more complex, expensive and less secure it becomes. Here are a few key components you should be looking for when evaluating your club’s security:
- PCI Compliance – All businesses must abide by Payment Card Industry Data Security Standards (PCI DSS)
- Software Integration – Linking individual software systems together to work as one
- End-to-End Encryption – Data security measure, used to protect data from one end of a transaction to the other
- Onsite Environment – Onsite environmental measures can instantly improve your protection
- Maintaining Transaction Integrity – Each transactions has security “qualifiers,” that if met, can protect your businesses against fraud and reveal significant cost savings
Insufficient security methods cause countless credit card breaches and excessive financial losses. It’s one of the reasons the Payment Card Industry Security Standards Council (PCI SSC) has established Data Security Standards (PCI DSS). These standards outline protection compliance for all parties involved in the handling of credit cards. They are not simply guidelines, but requirements by which all businesses accepting credit card payments must abide.
Your Greatest Ally
A breach is something no business should have to endure, and is the last thing you want your members worrying about. The best thing a club can do to instantly improve its security is to not store any sensitive cardholder data. Your credit card processor should be maintaining and managing this for you. Most clubs view credit card processing as just another “cost of doing business,” but when it comes to data integrity, your processor can be the only thing standing between your business and a breach.
Storing members’ credit card data requires secure systems that eliminate risk. There are many grades of processors; which one you choose can significantly increase or decrease your club’s susceptibility to compromise. For this reason, it’s in every business’ best interest to selectively validate this service.
Software Integration
When accepting payments, many clubs use a point of sale and processing system. In a nonintegrated environment, these systems do not communicate directly with one another. They either function completely independently or, a gateway is used to bridge the communication gap.
Processing Outside of your POS: When clubs separate their POS from their processing, they’re limiting the effectiveness of both systems. Clubs invest thousands of dollars into their POS. Selecting a processor that is not fully integrated minimizes this investment by forcing you to use a separate system. This transaction architecture leaves you prone to data compromise, human error and accounting complications. The dual entry process is slow and redundant, which often results in poor employee and member experiences.
Gateways: Often times a “gateway” is used to bridge the gap between POS and processing systems. A gateway is a third party provider that acts as a translator allowing your POS and processing software to communicate. Involving a gateway places an extra stop in the transaction path, providing potential hackers with an additional access point. This multi-layered environment not only increases your liability, but also increases fees. Clubs can end up paying nearly double for processing services due to the fact that gateways have their own set of costs, including setup, monthly and per-transaction fees. Using a gateway can also lead to support problems as merchants are usually left to decipher whether to call their gateway or processor when issues arise.
Full Integration: Full integration is the gold standard in processing. Integration allows clubs to transition from a fragmented, multi-vendor, intricate setup into one seamless and robust solution. In a fully integrated environment, your POS and processing software work directly in a safe and secure system. When the consumer provides their payment card, it is swiped directly through the POS system. On the backend, inventory is appropriately tracked and stored on the POS, while all sensitive cardholder data is stored on the processor’s servers. There is no dual entry or fragmented reporting.
This software architecture eliminates third party involvement, maximizes security and allows clubs to take full advantage of their processing and POS investments. Obtaining PCI certification can be a long, grueling, and expensive process, requiring substantial money and man-hour investment. Fully integrated solutions can drastically diminishing certification endeavors by significantly reduce the risks associated with storing financial data. This can represent a savings of thousands of dollars in annualized PCI audits.
Integration was once viewed as a laborious process, but nowadays there are industry leaders that have perfected it. When assessing your transaction landscape make sure that you’re processing in a fully integrated environment.
End-To-End Encryption
While integration works to strengthen the security of your transaction environment, encryption is used to secure sensitive data as it travels across the payment network. When data is unencrypted, it is left in plain sight for hackers steal. Encryption places a coded shield around sensitive data that should only be able to be de-encrypted by authorizing parties. End-to-End Encryption (E2EE) means that credit card data is encrypted from one end of the transaction to the other: from the moment the card is swiped, while in transit, all the way through authorization and settlement. In this environment, data is transmitted and stored by the processor. E2EE is more secure than point-to-point encryption, where data can be de-encrypted at various points along the transaction path. E2EE offers superior asset protection and helps remove your club, POS provider and web developer from the scope of PCI compliance. For e-commerce accounts, a Secure Sockets Layer (SSL) should be used to encrypt online transactions. SSL allows sensitive information such as credit card numbers, to be transmitted securely between a web server and a client.
Maintaining Transaction Integrity
Strengthening your system security will not only protect you from compromise, but can reward you with everyday savings. Interchange is the universal base cost for all credit and debit card transactions. All merchants and processors are subjected to these fees. Today, there are more than 500 interchange rates. Rates are established by the card associations and are determined by the level of “risk” attributed to each transaction; the more secure a transaction, the cheaper the interchange rate. Each rate has specific “qualifiers.” If these qualifiers are not met, the transaction will downgrade to a more expensive rate.
The card associations consider three main factors when calculating risk:
- Card Type (Credit, Debit, Business, Rewards)
- Purchasing Environment (Swiped, Online, Mail Order/Telephone Order (MOTO))
- Security Measures (Signature Capture, PIN Entry, Address Verification)
There are easy ways for clubs to protect themselves from downgrading rates. For example, have you ever been asked to enter a CVV code when making an online purchase? What about the billing ZIP code of the card being used for payment? Merchants request this information because they enhance the security of the transaction, resulting in cheaper rates.
The CVV security code, or Card Verification Value Code, is a 3- or 4-digit number that can be found on the back of a credit card. It’s used as an authentication procedure that verifies the possession of the card in efforts of preventing fraud. When sensitive data is stolen, hackers have easier access to account numbers and expiration dates, but obtaining CVV codes is much more difficult as storing this information is illegal. The Address Verification System (AVS) works similarly, requesting the user to verify the billing address and ZIP code of the card being used.
If you’re currently not requesting this information, you should be. If your processor has not informed you about these options, you should be asking why? By requesting this information, you’re protecting your club against fraudulent purchases and chargebacks, as they require the consumer to provide additional information traditionally unknown by hackers.
By making these simple adjustments to your payment page or checkout process, you can more easily maintain the integrity of each transaction; protecting your club from fraudulent purchases, while significantly reducing your processing costs.
Here are some quick tips on maintaining the state of a transaction (not downgrading):
- Swiped cards qualify at the lowest rates
- For key-entered or e-commerce transactions make sure to obtain all addendum data (i.e., AVS verification to include: Address, ZIP, Invoice #, and CVV as fraud control).
- Settle daily
Proper Protection
Securing your business isn’t a matter of spending thousands of dollars on systems and software. Remember what you’re looking for: PCI compliant, fully integrated, end-to-end encrypted solutions. Following these tips will not only help secure your member’s identities, but will simplify your account collections, eliminate the costs of multi-layered solutions, and enhance the value of your software investments. Your members are your club’s greatest asset. Make sure that you’re protecting them appropriately.
Edward Vaughan, founder and CEO of Electronic Transaction Systems Corporation (ETS), is a recognized leader in merchant processing, and architect of the company’s signature product, the EMoney™ Credit Card Transaction Platform, which has ranked as “the most secure platform in the world” by the MasterCard International Risk Assessment Management Program. ETS is the processing supplier for more than 9,000 golf courses and 90 percent of golf management and software companies. For more information about securing your club and protecting your members visit www.etsms.com or call 800-834-7790.