Remember that big Target data breach a few years ago? When millions of customer credit card numbers were compromised. Did you know that just like Target was responsible for the $18.5 million as a result of that breach, as a business owner, you could be on the hook for fraudulent charges that result from credit card info that is stolen from you? You don’t even have to be the nefarious criminal doing the bad stuff… you just have to have the credit card info in your possession. And then you could be liable for thousands of dollars of fraudulent charges before you even know it.
Let’s talk about how that happens and how you can prevent it.
The first way is that someone, we’ll call him Super Bad Dude, hacks you. Super Bad Dude either guesses your password or gets it from somewhere else. He logs into your email account and then your Stripe account faster than you ever thought possible. Before you know it, Super Bad Dude has changed your passwords and the email addresses associated with your Stripe account and other sensitive accounts. He’s changed the settings in your email so you don’t get notifications or alerts from Stripe or your bank about potential fraud or strange activity.
Super Bad Dude starts charging credit cards of your past clients like there’s no tomorrow. But that money isn’t going into your bank account, no. He’s switched that too. He’s sending all that money into his offshore account at some shady online bank.
And Super Bad Dude is smart too. He switches the bank account every day or two. He knows that the more changes he makes, the harder it will be for you (or the authorities) to track him down or recover the money.
By the time you realize what is going on, Super Bad Dude may be up to $10,000, $20,000 or even $50,000 in a matter of days. Your clients (some from years ago) will all be seeing charges from YOU showing up on their statements but you’ll never see that money.
And the worst part is, you could be liable.
Another way Super Bad Dude (or his buddies Sneaky Stealer Guy and Terrible Tricky Thief) operates is to look for unsecured or unencrypted credit card info and snatch it whenever he can. For instance, let’s say you want to get your client’s credit card digits (along with the expiration date, ZIP, and CVC) to have on file for damages. You send them a form, they fill it out with a pen and email it back to you as an image (maybe a PDF or a JPG). You download the image and save it to their client folder on your computer. You also print a hard copy as a back-up for your records.
Super Bad Dude is the kind of guy who may be combing through your email (that he’s already hacked) for images just like this with your clients’ credit card details. Sneaky Stealer Guy may break into your office and steal your company’s computers… voila, he’s got access to lots of these images with credit card info. Terrible Tricky Thief’s M.O. is to smash car windows and steal purses, laptop bags, and things that look like they may have documents in them. He gets a stack of your client folders and bam—he’s got credit card numbers for a number of your clients.
These bad guys may use the credit card numbers themselves or sell them to some other bad guys real quick. Either way, the credit card info is compromised. Not only will you have to contact ALL of your past clients who may be effected to tell them that their data has been compromised, it is possible that you will also be on the hook for any charges that result from this situation.
While we know that accepting credit cards is convenient for your clients, and increases your closing speed of rental orders, there are some negative ramifications you’ll want to hedge against with your systems and processes. A security breach and compromise of your clients’ credit card data can include regulatory notification requirements, loss of reputation, loss of customers, potential financial liabilities (for example, regulatory and other fees and fines), and litigation.
There are many other variations of these above scenarios but you get the picture— once you touch your client’s credit card information, you’re responsible for it in more ways than one. Let’s talk about how to handle that sensitive info with care.
How to Prevent Information Breach & Credit Card Fraud
When evaluating how you handle the ingress of credit card data, here are some DOs and DON’Ts to consider:
- DO use a secure, encrypted processor (like our integrated payment partner Stripe)
- DO make sure that the website where payments are being submitted has a valid SSL Certificate
- DON’T have clients send you credit card info via email
- DON’T accept credit card data via text fields or unsecured/unencrypted methods on your own website (for instance, have clients enter their credit card info in one place but you’ll then later use that info to process the card somewhere else)
DOs and DON’Ts of storing credit card data:
- DO keep client credit card references (just the last four digits, not the whole number) stored with your rental orders securely and with encryption within RW Elephant via Stripe (this happens automatically whenever you process a payment through RW Elephant directly or when your clients use our online payment pages)
- DON’T keep physical records of credit card numbers on physical paper in your office, car, or home where they could be stolen
- DON’T store digital records of credit card data on your computer, hard drive, or cloud storage
- DON’T store images of credit card data (for instance, PDFs, JPGs, PNGs, etc.). Particularly don’t upload these as attachments to your RW Orders as they will not be encrypted.
Basically, our best advice is to never touch your clients’ credit card data personally (and don’t allow your employees to do it either). We suggest you send them payment links for their orders. Once they pay online, you’ll be able to choose the same card for future charges (for instance, if there are damages that need to be taken care of after the event). But if they pay online through RW Elephant via Stripe, you never touch (or see) their sensitive data. You don’t have to worry about storing it but Stripe keeps it safe and accessible only to you. You aren’t opening yourself up to all the risk that comes along with other methods of handling credit card data.
Cute story, RW, but how do I prevent Scenario 1 from happening to me?
The key is having strong passwords, not using the same password for multiple accounts (your Stripe account shouldn't use the same password as your email account, for instance), and protecting your passwords. You also need to be regularly checking your Stripe and bank accounts. If you see that Stripe transfers have suddenly stopped or if you notice a change in bank account activity, you'll want to investigate right away.
If you have any questions about how you’re handling credit card info, shoot us an email. We’re happy to help.