Rob Fodor - Vice-president of risk and information, Interac Association
We all play a role in fighting fraud. Merchants play a critical role in stopping fraud before it starts. If your PIN pad is stolen or your customer’s debit card is compromised, your brand or business may suffer.
Being alert and carrying out basic fraud prevention measures will help you reduce the risk of experiencing debit card fraud at the point of sale. Here are some the things you can do to help protect your business:
•Treat your PIN pad like cash. Keep PIN pads out of sight when not in use and lock up stand-alone terminals at the end of the day.
•Carry out daily checks. Look for signs of PIN pad tampering, check the PIN pad’s serial number to ensure it has not been replaced with a decoy and inspect the cash area for signs of hidden pinhole cameras or unexplained wires.
•Know your employees/coworkers. Implementing strict hiring procedures is an important step in fraud prevention, as criminals may make their way into an organization or approach employees to assist them with illegal activity.
•Contact law enforcement. If you suspect PIN pad tampering or other suspicious activity, consult your local law enforcement and your acquirer/payment service provider immediately.
In 2014, losses from Interac debit card fraud in Canada due to skimming (theft of payment-card data at tampered-with ATMs or point-of-sale terminals) fell 45% year-over-year to $16.2 million. While we operate an exceptionally safe payment network, all merchants can play a role in guarding their businesses from debit card fraud.
Iain Kenny - Investigative and forensic services partner, MNP
1) Backups. This one seems straightforward, but do you even back up your data? Often I see companies that are diligent and perform regular backups but have never tested the data to ensure it can be used when a disaster strikes. Cloud-based or online storage is becoming a good alternative for small business as it removes many of the technical complications.
2) Clear IT guidelines. You cut your cellphone budget by 80% by allowing your employees to connect their own smartphones to your network. But what happens if the employment relationship sours? Do you have an acceptable-use policy in place that defines what your employees can do with your data once it is on their personal device? Do you have a right-to-audit or a right-to-wipe clause in that agreement that would allow you to review the content of the device or to delete your intellectual property on termination of the relationship?
3) Professional help. In an effort to save costs, businesses often expose themselves to increased risks when using web-based technologies. Recently I saw a not-for-profit that was accepting volunteer applications, which included passport information, on an unsecured web page. They couldn’t afford to hire anyone and someone volunteered. Management and the volunteer were both unaware of the significant risk for a privacy breach they had placed themselves in by not hiring someone who specialized in web development and data security.
Ben Young - Vice-president and general counsel, Peer 1
Here are some steps to integrate into your security strategy to ensure you are always one step ahead:
1) Identify security needs. The level of security you need will depend on your industry and the volume of data you are storing. Familiarize yourself with the different cloud storage options. For example, public cloud systems manage privacy and security differently than do private cloud systems.
2) Inform your team. Humans are typically the weakest link in the security chain; make sure your team is properly briefed and aware of their responsibilities so that your front line can protect sensitive data. A pre-emptive approach is always best to ensure that your business is protected.
3) Encrypt your data. Encrypting your data makes it less of a target for theft by outside sources. What a lot of business owners might not know is that many company computers are already equipped with encrypted options and settings. The simple measure of finding and enabling this function is often overlooked.
4) Prevention, not defence. It’s important for businesses to consider data security first when building their IT strategy. Making sure that security is fully integrated into the planning phase allows the focus to be on prevention. This allows businesses to initialize seamlessly instead of having to scramble to protect their own prized data and that of their customers.
