What you don't know can hurt you when it comes to how your small business handles sensitive payment data. In fact, being unaware of the risks and responsibilities you inherently assume in payment processing can expose your business to fines, fees and operational upheaval.
Here are eight things most businesses don't know about payment processing.
1. You're subject to processing fees and terms.
Small businesses are subject to processing fees from credit cards per transaction. According to Merchant Cost Consulting, the average cost of processing fees from top credit card providers ranges from 1.7% to 2.05% for in-person transactions and 2.25% to 2.5% for card-not-present transactions. The cost may sound minimal, but it adds up when applied to large purchases.
Companies assess processing fees using two main models. A business can pay a flat rate or use a tiered system that charges processing fees based on transaction type. Evaluate the best credit card processing services to determine the best fit for your business based on fees and terms. Terms may include fee adjustments based on transaction type. For instance, chip card inserts typically incur lower fees than manually entered credit card data.
Editor's note: Looking for the right credit card processor for your business? Fill out the below questionnaire to have our vendor partners contact you about your needs.>
2. You can take measures to reduce credit card fees.
There are ways to save on credit card processing fees so that you're not stuck paying high rates. Credit card processors offer varied pricing structures. Some have a flat rate, while others charge monthly fees in addition to the per-transaction rate.
Before you make a decision, evaluate what's best for your business. Consider a flat-rate provider if you have a startup or small business with a low monthly sales volume. If you have a larger sales volume or need specialized services, consider a processor that charges an inclusive monthly fee with a lower transaction rate.
In addition, when selecting a payment provider, you can negotiate your rate to some extent, so don't sign on the dotted line until you're sure you have the lowest possible rate without compromising on the services you need.
Also, consider using online payment security measures, such as additional identity verification, to minimize chargebacks, which can cost $15 or more each time they happen.
3. Processing type impacts the level of payment data protection.
Most debit and credit cards issued within the last six years in the United States include a magnetic stripe on the back and an EMV chip on the front. Card issuers have recently included another way to pay: near-field communication, or NFC, which offers contactless tap technology.
Still, many businesses don't know there are significant differences in payment security when a card is swiped versus taped or inserted into the EMV payment terminal.
When a customer uses either the EMV chip card feature or the NFC capability, the processing environment utilizes a security measure called tokenization. This process replaces the sensitive cardholder data (i.e., the 16-digit personal account number) with a series of randomly assigned numbers used to process the payment.
If the transaction is intercepted during processing or is later compromised in a breach, data thieves can't use the token to commit further fraud or identify the account owner.
4. You are not too small for a payment security breach.
Accenture's Cost of Cybercrime Study found that 43% of cyberattacks are aimed at small businesses. Unfortunately, only 14% of small businesses have technology and processes to defend themselves and their customers.
First Data estimates that most small businesses that are victims of a payment security breach don't know it occurred until the damage is done. If a breach does occur, mandatory investigative audits of payment security practices cost the average small business about $36,000. That doesn't even begin to assess the damage to the businesses from loss of customer trust, downtime, notification costs, and damage to their reputations, which can drag on for several years after a breach.
If you are party to a payment transaction found to have offered the lowest level of security, you could be held responsible for costs associated with the breach, including identity protection services for breach victims, card reissue costs, fines and legal fees. Merchants that don't accommodate EMV chip cards could be held liable in the event of a payment security breach.
5. You need a multipronged approach to payment security.
Choosing a payment processor that guarantees PCI-compliant payment processing and accommodates NFC and EMV chip card technology at the point of sale can enhance payment security, but you need to do more. Your business should conduct audits to proactively identify vulnerabilities and potentially adapt those processes as your business grows.
The PCI Security Standards Council outlines the specific protocol merchants should follow based on their volume and type of annual transactions. At a minimum, internal audits of firewalls, networks, hardware and software should occur quarterly under PCI-compliant processing standards.
Since most small business breaches involve employees – whether bad actors or those who get duped by phishing and other methods – employee screening, monitoring, training and permissions are also key.
6. Not all payment security issues originate with a hack.
Not all breaches occur with a sophisticated hack. Security magazine reports that many ransomware attacks start when an employee or contractor unknowingly clicks on a malicious link in an email.
Your internal procedures have a significant impact on payment security. For example, never post passwords on computers or POS systems. Passwords should be changed at least every few weeks and ideally consist of at least eight characters, including letters (uppercase and lowercase), numbers and symbols.
Additionally, companies should have filters in place for their email servers, and employees should be trained to avoid cybercrime.
7. Your staff plays a critical role in payment security.
One employee's innocent mistake can make or break your payment security and cost your business dearly. Conduct ongoing training sessions to ensure secure payment procedures. For example, customer credit or debit card numbers should never be written down or kept on file.
Mobile payments should be processed only with a secure and password-protected connection, using the mobile payment provider's secure app or dongle. You should update the operating system of any mobile device used to process payments to the most recent version (which is often patched when security vulnerabilities are detected).
Payment security is an important issue for any merchant that handles sensitive data. The more you understand how to provide a secure environment in your technology and internal processes, the less risk your business may face.
8. It pays to be proactively secure.
If you don't have payment security measures in place, you could be subject to fines. Compliance with PCI standards is required not only of payment processors but also merchants. If you fail to comply – or comply without providing proper proof – your payment processor could charge you anywhere from $10 to $100 per month until you're in full compliance.