Small business owners are champions of the DIY spirit, but there’s one area where they have to trust someone else to do the job: payment processing. And of all the responsibilities to entrust to an outside vendor, handling customer payment data is among the most nerve-wracking to outsource. After all, you’re handing over your customers’ most sensitive information every time you receive a credit card payment.
That’s why it’s so important for small businesses to find a payment partner they can trust. Cybersecurity can be tough to measure, especially if your expertise is running a business—not running a computer.
“Nothing is 100% safe in this technologically rich and complicated environment,” said Jeff Korte, director of community institution and associations at the Financial Services Information Sharing and Analysis Center. “Do your research, ask questions, know what’s in the fine print of your agreement and be involved. Monitor the relationship closely.”
Here are some standards to use when searching among dozens of options for a payment partner to keep your small business—and your customers’ data—secure.
Third-Party Security Certifications
Checking for third-party certification is one effective way to verify that a payment processing company is as secure as it claims. According to Korte, the standard certification is the Payment Card Industry Data Security Standard (PCI DSS). This certification is regularly updated by a professional auditor designated by the PCI Security Standards Council.
“Make sure they have a PCI DSS RoC that is completed annually and they can provide you their Attestation of Controls (AoC),” said Korte.
Some companies have additional certifications as well. The payment processing company Elavon, a subsidiary of U.S. Bank, is ISO/IEC 27001-certified through the ANSI National Accreditation Board, which is an independent accreditation and training services provider.
“It’s an international security standard,” said Phil Agcaoili, senior vice president of product and security innovation for Elavon. “All of Elavon’s global payment gateways are currently certified with ISO/IEC 27001.”
These third-party certifications provide confidence that a payment provider has solid security management practices, is constantly updating and testing its defenses, follows proven data protection methods, and can ensure secure and resilient payment processing for businesses and their customers.
Advanced Encryption And Tokenization
Encryption and tokenization are methods for ensuring your customers’ payment data is protected. But not all versions of these security measures are equal.
“Transmissions should be tokenized—substituting sensitive data into digitalized nonsensitive data without compromising security,” said Korte. “Also, no PII [personally identifying information] should reside on your server.”
It’s possible to find a payment provider that manages multiple token sets and that can handle security across multiple, if not all, payment services. Elavon can remove card data with its token approach—its tokens work with billing and invoicing, authenticate payment transactions and provide end-to-end encryption.
“Multiple tokens create an environment that is much harder to audit unless the process is identical and just sent to different payment providers,” said Korte. “It is not common to use multiple token sets unless it’s in the case of an international payment provider.”
Simplified PCI Compliance
Credit card companies require PCI compliance to make online transactions. The standard basically proves that businesses are secure enough to handle payments. The more advanced the payment processor’s security measures are, the easier compliance is to achieve.
“The payment provider should be compliant with the Payment Card Industry Security Standards Council,” said Korte. “The council provides guidelines for merchants, instructing them on what they need to do to secure sensitive data.”
Elavon’s tokenization process, for example, makes PCI compliance easier and less expensive by removing cardholder data from the point of sale. The company also offers a PCI compliance manager to help small businesses maintain and report their compliance.
Excellent Customer Service
Even with all those security measures in place, questions come up for small businesses when they’re managing payments. And when those questions go unanswered because a payment processor is hard to reach, companies face increased risk.
“Being able to work with a payment partner when possible fraud is detected can help save businesses a lot of money,” said Agcaoili. “Time is of the essence with fraud incidents for financial transactions.”
Another area where responsiveness is important from payment providers is when addressing security issues as they are detected. Being able to find and fix security issues is key to minimizing operational and financial risk by reducing the likelihood of a compromise.
“Cybersecurity is a team sport, and information sharing plays a very important role in the safety of the payments ecosystem,” Agcaoili said.
By looking for a payment processor that prioritizes both customer experience and security, you can find a partner to trust with your business—and with your customers’ payments.