The news lately has been dominated by headlines about credit cards; specifically, the very real risks associated with how credit card transactions and data are handled by businesses. In December, we learned that millions of Target shoppers’ card numbers might have been compromised by a massive data breach. This is an ideal time for dealers to collectively examine the risks and best practices of payment transactions.
Because the automotive industry conducts most of its service business with credit cards, it is imperative that dealers better manage the risks associated with them, and become more intimately familiar with Payment Card Industry (PCI) standards and best practices. It is no small subject. However, as with most things, a review of the fundamentals is the best place to start to help your staff become more security conscious.
The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of PCI compliance. The council had a singular goal of improving payment account security throughout the transaction process. Visa, MasterCard, American Express, Discover and Japan Credit Bureau (JCB) founded the PCI SSC to work with banks, merchants and payment industry suppliers to develop and implement security standards. The Payment Card Industry Data Security Standard emerged from that process. PCI DSS is designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.
Every dealer should be concerned about PCI DSS. If a security breach occurs and credit card information is stolen, the dealership and any of its suppliers that interact with the credit card data are responsible — and accountable — for the breach. The payment brands may, at their discretion, fine the bank that underwrites the dealership’s payment processing, which can be thousands of dollars per month for PCI compliance violations. The bank would most likely pass those fines downstream until they eventually hit the dealership and its owners. The bank also could choose to significantly increase the store’s transaction fees or even terminate their relationship with the dealer.
Penalties are not often openly discussed or widely publicized, but they could be catastrophic to a dealership. Even more important is the impact on your customers. They will most certainly question whether they should choose to do business with you again, and bad news travels quickly.
Ensuring your dealership consistently maintains strict PCI compliance can be a complex process; however, implementing four PCI best practices can make it much simpler:
Never store credit card information. That file drawer or computer folder containing credit card numbers places your dealership at tremendous risk. Never keep a customer’s credit card number in any format, be it electronic or paper.
Never ask your employees to handle a credit card. The moment an employee takes possession of a customer’s credit card — even just to swipe it through a payment terminal — you have granted that employee access to sensitive cardholder data. Your customers should swipe their own cards.
Never store credit card information in your own system. Suppliers within the payment card industry can take the responsibility for processing credit card data and storing cardholder data if necessary; when you store the data on your own system, your risk increases significantly.
Select a PCI-certified supplier. As of July 2010, the PCI SSC requires all merchants using third-party software to validate that their suppliers’ applications are PCI-certified. Look for payment systems which utilize updated security methods such as tokenization and end-to-end encryption.
All dealers accept credit cards. As a result, you take on the risks and responsibilities associated with processing those transactions. The starting point for ensuring your store is adequately shielded from these risks is to become familiar with the PCI standards and make PCI compliance part of your day-to-day operations. Use payment industry suppliers that reduce your risk as much as possible so that you can stick to what you do best: selling and servicing vehicles.
Chad DeKing is the managing partner of SwervePay Sales & Service LLC. He has more than 30 years of experience with expertise in the convergence of technology, operational data and customer data.