Share this Article
Data breaches have been in the news for several years. One thing we can learn from companies like Equifax to the massive Marriott data breach is that no company is immune if they don’t protect themselves properly.
The accounts receivable industry is no exception. News outlets throughout the industry recently reported a breach of sensitive consumer data at American Medical Collection Agency (AMCA). The news left many agencies questioning their own system security. Here are a few tips on how to prevent data breaches to ensure your company’s sensitive consumer credit card data stays secure.
1. Talk to Your Software Vendors About Data Security
Using a payment software can help your business grow by providing a convenient online payment portal and integrated compliance features that simplify your day-to-day. The right software can also serve as your agency’s first line of defense against a breach. Ask your vendors what security they offer.
Are They PCI Compliant? What Level?
The Payment Card Industry has created compliance rules for any business that accepts card payments. To keep consumer data safe and remain in compliance with PCI standards, all businesses must adhere to one of four levels of PCI compliance. Look for a vendor with Level 1 compliance – the highest level possible – to be sure consumers are as safe as possible making card payments.
Do They Have Additional Certifications?
There is no system that takes away all of your responsibility for complying with PCI standards. However, the right software can reduce your company’s personal PCI compliance workload to the 15-minute Self Assessment Questionnaire A. Not only does this save you money and time by eliminating system scans and on-site inspections, the right software can eliminate the need for card numbers to ever enter your company’s online environment at all.
For example, PDCflow’s patented Secure Entry Overlay technology offers a secure way for card data to be tokenized and encrypted without the burden of agencies storing sensitive data in their own systems.
Does Their Compliance Take You Out of PCI Scope?
An even more encouraging sign from your payment software is if they have additional security certifications. If your provider is serious about security, they will go beyond the necessary to offer as much security as possible for your consumers. Here are a few additional credentials to look for:
- SSAE18 SOC 2 Attestation
- HIPAA Certification
- Visa Global Registry Listing
2. Understand PCI Requirements
While good payment software will take you out of PCI scope, business owners must still understand what must be done at the company level to remain PCI compliant. What do agency owners need to understand?
What Level of PCI Compliance Applies to You?
There are four levels of PCI compliance, based upon the number of card transactions you process per year. The team members at your payment software company should be well-versed in PCI compliance requirements. If you don’t know what actions to take based on your PCI level, reach out to them for help.
PCI Compliance Levels
Self Assessment Questionnaire (SAQ)
Once you know what level of compliance applies to your company, you can then know what SAQ you must fill out annually. Remember, if your payment software offers either an iframe technology or you redirect consumers to a compliant third-party processor’s payment page, you will be eligible for the simplest SAQ that can be completed in about 15 minutes.
Ask your software company which SAQ fits with your setup. They should also offer help walking you through its completion if necessary.
3. Review Internal Policies
Along with knowing the basics and understanding how your payment software works, it’s important to identify how internal processes can put sensitive data at risk.
- Don’t store card data – have your payment software provider do it for you. Keeping this information on a server in your care increases the likelihood of a breach.
- Don’t keep hard copy files that contain sensitive information. If you must, keep them in locked cabinets in a restricted-access area.
- Appoint a person or team to be in charge of understanding security and compliance requirements.
- Have the security officer or team create and maintain training materials and train staff on compliance expectations.
- Educate employees on basic security measures. Teach them how to avoid human error-caused data breaches that can happen through events like phishing emails and social engineering scams.
Using patented technology to protect your business will help you save money in the short-term on scans and in the long-term by preventing a damaging incident. PCI compliant software can also help third-party collection marketing efforts to prospects, helping you grow your business.
Remember, a data breach is a stain not only on an agency but on the clients they serve. Clients are likely to lose business if their collection agency compromises their consumer’s data. After the latest breach, it is likely more companies will ask for security credentials when hiring an outside collection service. Know what’s expected of you and be prepared to deliver.
For more information on compliance with payment card industry standards, download the PCI compliance guide.