There was a time when many people were afraid to shop online because of perceived security risks. Now customers don’t hesitate to whip out their mobile phones to pay with Google Wallet, Square, PayPal, or even Bitcoin. Forrester Research predicts mobile transactions will reach $114 billion in 2014, and this number will only continue to grow.
Even brick-and-mortar stores that don’t yet accept mobile payments are replacing manual cash registers with sophisticated software that collects and transmits customer data to a cloud server. But data breaches at retailers like Target and Neiman Marcus show that making a purchase at a physical store can carry the same risks as shopping online.
Data security in point-of-sale transactions is crucial. I built a point-of-sale system from scratch in 2001 that was used by more than 8,000 brick-and-mortar retailers. I knew that the system and its implementation had to be secure to avoid the growing threats.
With all this sensitive data floating around, it’s up to you as a business owner to protect your customers’ information. Whether you process payments the “traditional” way or have implemented mobile checkout through a third-party solution, make sure you have the following safeguards in place:
1. Encrypt Session Cookies
Any time you have a unique user logged in, encrypt session cookies with unique keys to ensure he stays securely logged in throughout the transaction. This includes both employees and customers logging in to the system.
2. Encrypt or Hash Back-End Login Data
While it may seem obvious to encrypt and secure transactions on both employee and customer logins, you also need to encrypt this information on the back end. Use a series of different encryption keys on your back-end login data to ensure that even if someone does access the data, it will be unusable. Hashing the back-end login information is also acceptable since you never have to decrypt that data. When a user submits a password for authentication from the application, the application simply hashes the submitted password to compare to the hashed value in the back end.
3. Encrypt All Stored Data
Only encrypting login data would be like having locks on an electronics store but no security on individual products. Once someone’s in the door, he could theoretically take anything he wants, putting your customers’ data at risk. All data needs to be individually encrypted.
4. Encrypt Any Data in Transit
Any time data travels over the wire, whether over the Internet or within your own network, it needs to be encrypted. Regardless of whether you use an outside vendor for payment processing, it’s your responsibility to secure your customers’ data in transit.
Data is most at risk when connected to the Internet, but even if you’re off the grid, a rogue employee can wreak havoc. That’s why it’s also important to monitor who has access to the information.
5. Verify the Security of Third-Party Solutions
Many forward-thinking companies are experimenting with payment methods such as Bitcoin with the hope of attracting and retaining customers. The technical implementation of encryption is generally out of reach if a company doesn’t have complete control over its point-of-sale solution.
If you do use a third-party solution, make sure the payment process complies with PCI regulations. Demand proof of a successful third-party audit (and government compliance) to ensure the company encrypts the information as described above, and get it in writing.
Keep in mind that using a third-party solution doesn’t absolve you from responsibility. If you must use a solution that doesn’t comply with the encryption standards mentioned above, make sure the company has professional liability insurance to cover errors and omissions in its product.
Digital security is a hot-button issue these days, and no business can afford to compromise its customers’ information and lose their trust. If you don’t comply with government regulations and encrypt your data and transactions, you only have yourself to blame when some malicious hacker or rogue employee compromises your data. Be proactive in taking the necessary precautions now so you don’t have to deal with the fallout later.