Credit card data breaches have unfortunately become common occurrences for many restaurant, retail, and other businesses that accept credit card or digital payments. So much so, that breaches hardly make the news these days, which might lead some to believe the danger has been reduced.
Regrettably, numerous electronic threats and physical security issues are still present in restaurant and retail establishments. We want to provide knowledge that organizations can utilize in protecting themselves from credit card theft.
Why is Safe Credit Card Handling Important?
We are, and have been, rapidly migrating toward a cashless society. Consumers today expect and deserve to feel safe and secure when presenting credit cards during transactions.
Therefore, a certain social as well as business obligation exists for restaurants, retailers, and other businesses to respect the personal data of consumers. This extends to the employees that represent those businesses, as well.
So without further hesitation, here are Six Simple Rules For Safe Credit Card Handling.
Six Simple Rules for Safe Credit Card Handling Procedures
- Never make an electronic copy of sensitive cardholder data.
Train employees to understand and deny the use of any unauthorized external device, such as a “skimmer”, used to record credit card information. Criminals have been known to be brazen enough to approach employees requesting to install devices in order to record credit card information.
A majority of the time, it is the employee that is caught and prosecuted, not the criminal. It may seem like easy money; however, it can easily mean jail time for the employee involved.
- Do not physically record credit card numbers.
At times, companies may choose to keep credit card data for means of convenience. This practice, however efficient it may seem, is not safe.
Cardholder information must be kept in a locked drawer, with very limited access to the data. Once you factor this security in, many businesses realize that collecting data during each individual purchase is a more efficient method while also holding less risk for the business.
- Physical and electronic cardholder data must be destroyed after it is no longer needed.
If you don’t need it, destroy it, and do so properly.
Destroy all physical credit card data when it no longer serves a practical purpose. Acumera’s Credit Card Handling video details several methods to properly dispose of physical credit card data.
- Never send emails or other correspondence containing credit card information.
Do not send sensitive credit card or banking information via email. Period.
As an aside, ensure that employees are trained to understand that your company will never request individual cardholder data under any circumstances. Any attempts to request such information should be notified to a manager immediately.
- If a customer leaves their credit card behind by mistake, destroy it if it has not been retrieved within 24 hours.
Sometimes we are forgetful. If a customer mistakenly leaves their card in your establishment, contact them the same day to inform them your business is in possession of the card and that it will be destroyed if not properly claimed within a specific amount of time.
We advise no more than a 24-hour window. However, we urge you to check with your management team for your company’s specific policies relating to this practice.
If the consumer does return after the specified time, politely inform them that you properly destroyed their card in order to protect their information and to ensure their security.
- If you see anything you are uncertain about, report it.
If something seems suspicious, report it. If you see credit cards being stored in an unsafe manner, report it to the proper management team so it may be corrected.
Additionally, regularly inspecting the cash wrap area for any evidence of physical hardware tampering is strongly recommended to combat security threats.
This blog post, originally published in 2015, was updated on November 28, 2022.