If you accept payment cards (credit, debit, gift) in your business, you should periodically conduct a top-to-bottom review of everything you’re doing. You will benefit by taking a few minutes to review your systems, equipment and procedures to find areas where you can make improvements, such as reducing your exposure to fraud or becoming more efficient.
The first thing you need to do is make sure you have successfully completed the Payment Card Industry (PCI) Self Assessment Questionnaire. The questionnaire is somewhat like your proof of insurance for your car; you only need it when you renew your license plates or when the police stop you. If you experience a PCI data breach, the card associations will ask to review your document. Failure to have it completed and available creates exposure for which you may be fined by the card associations (Visa, MasterCard and the like).
At Michigan Retailers Association we have set up an online tool that will take you through the SAQ process with “plain English” questions. The end result is that you will have successfully completed the SAQ and the Attestation of Compliance. Part of this tool is also a help desk to answer any questions you have about compliance.
The second thing you should do is to review the procedures your staff members are using when handling card data. While you might understand that long-term storage of card numbers and expiration dates is not a good thing, some of your staff may not. I have had conversations with business owners who developed sound policies around card data protection, only to discover that their staff members were not following those policies. You should watch or listen carefully to what your staff members do with card data. They may be well intentioned, but their failure to follow set policies will create an exposure for you as the business owner.
The last part of spring cleaning should be a review of your equipment and processes for handling a customer’s card transaction, with an eye toward how you might make improvements. In some cases the changes will help you lower your processing fees; in others it may help you become more efficient. Some things to consider and questions to ask yourself:
1. Do I have the appropriate terminal to handle today’s cards? Some of the terminals that merchants are still using have been around for 20 years. The technology on handling a transaction has changed in the last two decades, so maybe it’s time to upgrade your terminal.
2. If I have a terminal, do I still need a phone line? In the last 5-10 years, all of the terminal manufacturers have developed terminals that plug into your computer network via Ethernet instead of a phone line. In some cases, the conversion to this type of device will allow you to eliminate a phone line, which can save you $30-$50 per month.
3. Do I even still need a terminal? In the last 10 years we have seen the development of web-based “terminals” that enable you to run a transaction (both card not present or face to face) without having a terminal in your store. This will dramatically limit the scope of your PCI compliance conversation mentioned earlier.It is always good to take a minute and work “on” your business and not “in” your business. A spring cleaning for your payment card system may be a good way to start.
If you have any questions about these spring cleaning tips, your merchant processing customer service desk can help you with answers.
John Mayleben CPP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He is the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.