PPB March 2018

Tony Greenway, credit manager at Edwards Garment, uses a credit card processor so all the company’s client information is stored on the processor’s gateway. The data is also encrypted, and the company has a policy not to exchange or forward credit card data by email. He recommends suppliers not store any data on their servers or in a hard copy file. If that’s not an option, limit accessibility to authorized personnel only and have a written policy outlining who has access to the data. Last fall, SAGE introduced Stripe, a leading payment provider, as its new payment processing service. Available to suppliers and distributors, it provides the benefit of Stripe’s easy-to-understand fee structure and the added security of SAGE’s integration solutions. Companies can take customer payments by using the SAGE secure online website, SAGE Mobile or, as part of the new SAGE Online v.14, they can charge cards directly from within the program. End users can also safely and securely send invoice payments through a participating distributor’s website using the “Pay My Bill” feature. The service takes the place of other payment processing services that companies may subscribe to and is charged per transaction with no monthly fee. “We make it very simple for anyone in the industry to process credit cards safely and securely, and do so by leveraging technologies and services we already have in place,” says Jarod Thorndike, director of business development at SAGE. Security Best Practices The Federal Trade Commission urges companies to follow these practices to protect customer data: • Take stock. Know what personal information you have in your files and on your computer. Understand how personal information moves into, through and out of your business and who has access— or could have access—to it. • Scale down. Keep only what you need for your business. That old business practice of holding on to every scrap of paper is obsolete and dangerous. Unless you have a legitimate business reason to keep personal identifiable information stored in your files or databases, get rid of it. • Lock it. Protect the information you keep. Be cognizant of physical security, electronic security, employee training and the practices of your contractors and affiliates. • Pitch it. Properly dispose of what you no longer need. Make sure papers containing personal information are shredded so they can’t be reconstructed by an identity thief. • Plan ahead. Draft a plan to respond to security incidents. Designate a senior member of your team to create an action plan before a breach happens. Hooper’s hope is that bringing up the issue will help create awareness of an industry problem she’s not heard talk about before. “I feel like we have been responsible and done everything possible on our end,” she says. “Even then, it happens.” HowPCI Compliance Adds Security PCI (payment card industry) compliance is a set of rigorous requirements administered by the Payment Card Industry Security Standards Council. Its purpose is to increase controls around a business’s security for credit cards and reduce credit card fraud. PCI compliance is not a technical term and is not limited to credit card processing—it permeates through a number of business processes. Geiger is one industry company that is PCI compliant. “Compliance is important because a merchant can be held liable if the merchant credit card information is breached,” says Denham. “Even if liability is not imposed on the merchant, the loss of trust from customers could damage the brand.” He says the process of becoming compliant is intense, and it takes months of work and a significant investment to properly follow the guidelines. “No matter how good you feel about your security, once you go through PCI-compliance efforts, you will realize you were not very secure and you’ll be glad you went through the process.” For small businesses, the easiest way to be compliant is to ensure credit cards are entered into a third-party system that is PCI compliant. “This way all information is put on a PCI-compliant server. However, many merchants process the card locally and send the data to the server. Therefore, in most cases merchants must implement all other controls for equipment that involves the PA-DSS certified software,” he says. Even companies that take a customer’s credit card verbally must enter it into a PCI-compliant system. Learn more about the requirements and benefits of PCI compliance at www.pcisecuritystandards.org . Tina Berres Filipski is editor of PPB. 22 | MARCH 2018 | INNOVATE