- While necessary to accommodate customers and boost revenue, accepting credit card payments carries risks for business owners.
- Credit card security threats include untrained staff, not understanding fake credit card clues, not verifying identity, storing customer data for later charges and refunding cash on a credit card transaction.
- Your credit card processor can help mitigate credit card security risks.
- This article is for small business owners who want to limit the potential security risks of receiving credit card payments.
Today’s small businesses understand they must accept credit cards to accommodate consumer preferences, keep valuable customers and compete in a competitive market. However, accepting credit cards in person carries specific risks many entrepreneurs and small business owners don’t expect. Overlooking these risks can lead to stolen customer information, lost revenue, fines and having your credit card acceptance privileges revoked.
We’ll outline five card-present security risks businesses must understand and share tips on choosing a credit card processor to help you mitigate security threats.
Credit card security risks
Accepting credit cards increases profits and creates operational efficiency. However, small businesses face security risks when they accept credit cards in person. Here are the top five security risks of accepting credit cards in person and how businesses can limit their risk.
1. Untrained staff can increase credit card security risks.
Busy small business owners may not realize that they and their teams don’t understand how to handle credit card transactions properly. This leaves your business vulnerable to fraudulent transactions and the possibility of legal action.
It’s crucial to create effective employee training programs to show employees how to handle credit card data and recognize fraudulent transactions. “Make sure you and your employees know the rules of how to handle credit card data,” said Vikas Bhatia, founder, CEO and chief risk officer of business cybersecurity firm JustProtect Inc. “Protecting your customers’ data is not only good business — it’s the law,” he noted.
Incorporate credit card handling best practices into new hire training, and hold periodic workshops to ensure your entire team understands new threats and developments.
2. Fake credit cards are a security risk.
When you have a long line of customers in a brick-and-mortar store, it’s easy to overlook clues indicating a fake credit card.
“Look closely at the card itself,” advised Joseph Palko, an independent e-commerce consultant. Criminals may use stolen credit card numbers or purchase one on the gray market to create their own card with their own magnetic strip. They may even include a dummy chip to mimic an EMV card (also called a chip card) and try to convince the attendant to enter the card manually.
Here’s some advice about learning to spot a fake credit card:
- Be wary if a user says their card’s chip isn’t working: If your business has an EMV-compliant credit card reader and the customer says their chip card isn’t working, ask for ID before manually running it.
- Look for a scratched or damaged magnetic strip: If the card isn’t a chip card or the customer is trying to swipe the card, pay attention to the card’s magnetic strip, cautioned Adam K. Levin, chairman and founder of CyberScout and co-founder of Credit.com. A scratched or damaged magnetic strip could be a tipoff that a card is fake. “Criminals will often scratch or damage the magnetic strip to force a cashier into entering the credit card manually if they were unable to encode the credit card information on the magnetic strip,” Levin explained. If this occurs, he says to ask for proper identification before completing the transaction.
- Study how genuine cards look: Palko advises getting to know exactly how real cards look. “Be familiar with what the different types of cards look like,” Palko said. “If it looks as if you have a fraudulent card in your possession, call the bank phone number on the back of the card.”
- Check the appearance of the card number: Levin said another clue to a fake card might be in the appearance of the numbers. “Oftentimes, credit card criminals use poor equipment to create fraudulent credit cards, resulting in cards that visually appear irregular,” Levin explained. He noted that if the numbers don’t line up and are crooked, it’s likely a fake credit card.
Unfortunately, small business credit card processing scams are common in the industry. Check customer reviews and Better Business Bureau data to ensure your processor is legit.
3. Missing signatures and verification issues can be security risks.
A missing signature is another issue often overlooked when accepting credit cards in person. This issue is less prevalent because card networks no longer require signature verification if businesses have an EMV-compliant credit card reader. With EMV cards (also called chip cards), the card information is stored in a chip instead of a magnetic stripe.
While EMV is an effective fraud-prevention system, some businesses, such as restaurants, may still need customers to sign a receipt when adding a tip. Additionally, businesses without an EMV-compliant card reader may run cards manually.
In these cases — or in any case where you’re suspicious — check for a signature on the back of the card and request identification.
The best POS systems allow merchants to choose receipt signature options like always requiring signatures, never requiring them or only requiring them for transactions over a specific amount.
4. Storing customer credit card data to charge later is a risk.
Do you store credit card data for later charging? If so, you could be violating your merchant account terms of service, according to Phillip Parker, founder of CardPaymentOptions.com.
“Credit card data is only allowed to be stored in very specific and secure ways,” Parker cautioned. “Allowing this data to be compromised can put you at great financial risk of both fraud liability and stiff fines.”
Bhatia says a crucial tip for staff is “don’t write down credit card numbers.”
Modern POS software helps secure customer data. When businesses accept credit cards on mobile devices or POS systems, a “data lockout” occurs, according to Will Black, the CEO and chief giving officer at Sharing the Credit.
“Once entered, the employee cannot pull the credit card number fully back up,” Black explained. This prevents employees from accessing customer credit card information. “They may be able to see the last four digits to verify it, but the data should be locked out.”
Businesses must understand payment card industry (PCI) compliance issues when accepting credit cards. These rules ensure a secure environment to protect customer credit information.
5. Cash refunding credit card purchases is a security risk.
Your business could lose money if credit card returns aren’t processed correctly. For example, if the purchase was made on a credit card, the refund should be issued to that card, not in cash.
“Many businesses allow a customer to make purchases on a card and then return the item for cash as opposed to refunding it back to the card,” Black said. The problem is that the original purchase may have been completed using a stolen credit card, with the fraudsters returning the items to get the cash.
The best credit card processing companies for security
Some of the best credit card processors include security features to protect businesses from fraudulent credit card activity. Here are a few to consider:
- Clover: Clover is our pick as the best credit card processor for new businesses. With Clover, businesses can access fast credit card processing and feature-rich, highly customizable point-of-sale (POS) software and equipment. Several pricing plans — including one for less than $10 per month — offer business owners choices and flexibility. You can use a virtual terminal or e-commerce interface without buying hardware if your business doesn’t need a POS system. However, Clover charges several fees other credit card processors do not, including a significant termination fee upon cancellation for customized software solutions. To learn more, read our in-depth review of Clover.
- Stripe: Stripe is our pick as the best credit card processor for online businesses. Stripe’s customization options include tools, features and plug-ins for various online companies, including POS systems and merchant accounts. There are no setup, cancellation or account maintenance fees, and Stripe is considerably less expensive to use per transaction than PayPal. However, Stripe’s credit card readers are mandatory and not free. Small business owners should also consider the added expense of needing third-party professional support for setting up Stripe’s customized features, calculating taxes and penalties for bad transactions, such as a $15 fee per chargeback or suspended user accounts. Check out our comparison of Stripe vs. PayPal to compare the solutions.
- ProMerchant: ProMerchant is our pick as the best credit card processor for high-risk businesses. Businesses with less-than-ideal credit or in perceived high-risk industries like tobacco, gambling, pawn shops and alcohol sales, including trendy neighborhood wine bars and family-friendly breweries, could find the right fit with ProMerchant. It offers specialized solutions for restaurants and retail and various services for e-commerce and other businesses. There are no early termination or monthly fees, and ProMerchant offers free hardware. Plus, it has established a reputation for exceptional customer service. However, ProMerchant is a relatively new credit card processing company. It doesn’t have a long track record or many customer testimonials. The processing fee structure isn’t public, so you must contact the company for a quote. Read our full ProMerchant review for more information.
Prepare your business for in-person credit card security risks
Whether you own a restaurant, store or another brick-and-mortar business, there will always be operational risks. Prepare your business by following industry security standards and keep your staff trained and up-to-date on credit card processing requirements, best practices and scams. When you take prevention measures and invest in the right credit card processing companies to protect your data, your business will benefit from the rewards of credit cards while mitigating the risks.
Sarita Harbour contributed to the reporting and writing of this article. Some source interviews were conducted for a previous version of this article.