Fuel Oil News June 2019 | Page 45

A business grows , its needs change . Are you ready to provide them ?
BY MARCI GAGNON

BECOMING A ‘ BIG KID ’

A business grows , its needs change . Are you ready to provide them ?
My six-year-old daughter legitimately beat me at a board game . I have always envisioned the day she would become a “ big kid ” and how fun , rewarding and slightly horrifying that day would be .
Don ’ t get me wrong , I am incredibly proud that my child put together a clever strategy to outwit me ( ok , pulverize me ) in a game of Clue . However , a small part of me thought “ How did this happen ? When did she get so big ?” Our businesses , like our children , are growing and inevitably the day will come when we sit back and realize that our companies have become “ big kids .”
Overnight our companies have a slew of different needs ; more employees require formal HR policies ; more customers require advanced software and billing capabilities and the need for a better understanding of payment security . While it is often overlooked , the way we approach our company ’ s security impacts every aspect of our company , our technically savvy customers , our employees , and their families .
According to the National Small Business Association , 60 % of SMB ’ s that have a credit card breach are out of business within six months . If your company has 30 employees , 30 families are depending on you to make the best decisions regarding security . With spring upgrades well underway , let ’ s take a look at payment security and some simple things you can do to help best secure your company .
The Payment Card Industry Data Security Standard ( PCI DSS ) presents common-sense steps that mirror general best security practices for any company . There is a lot of misinformation and fear regarding PCI , but in reality , it should be thought of as good business practices that will help ensure secure payment transactions for your customers .
All companies that accept credit or debit cards are required to adhere to PCI guidelines and complete an annual compliance questionnaire . There are different versions based on how you collect , process and store credit cards and the questionnaire review your network , internal systems , software , vendors and employees . While the questionnaire is only required once per year , security is ongoing and should be routinely tested by running periodic security checks and fixing any vulnerabilities as they are found . I like to think of this questionnaire as your company ’ s annual security physical . As you are going through the checklist you have either received a clean bill of security at the time or have been provided with some things to work on and schedule another appointment to make sure any concerns have been addressed .
In addition to the basic questionnaire , companies should verify the security certification from all vendors they are working with including software , and any payment equipment , or gateway companies . At a bare minimum verify their PCI certification at Visa ’ s Global Registry of Service providers : https :// usa . visa . com / splisting / splistingindex . html If you currently utilize a company or product that is not listed , ask . Some software may be utilizing hosted payment pages and companies that perform special integrations will be happy to provide information on how they are mitigating their software , as well as their customers , for PCI . This takes only five minutes . Remember , 30 employees and their families are counting on you !
Create an internal compliance team . This can be a mix of IT and admin professionals who can meet once a quarter to implement a regular system check , review any changes and update your company ’ s security policy as needed . Part of the PCI requirement standards (# 12 ) is to create a security policy , so having a group to review the plan and know what to do in the event of a breach will save valuable time . This group can also be responsible for collecting the security documentation , aka “ Attestations of Compliance ” from each vendor and verify that each vendor is willing to participate in a forensic investigation should there be a breach . This will save time and money later as your organization will know exactly who to contact .
Whether malicious or not , 40 % of all breaches are caused by internal employees . So , educate all employees and implement a clean desk rule while limiting access to areas where card data are collected or processed . These steps will dramatically reduce employee fraud . Never use vendor supplied defaults for system passwords and make sure to update passwords often to accommodate for seasonal or disgruntled employees .
Should your company discover a breach , implement your security plan and limit data exposure by taking any affected systems offline . Do not turn them off ! IT professionals can more easily identify the root of the breach if the systems are isolated , but allowed to keep running . Finally , notify all relevant parties including payment partners , software vendors and legal teams . Make them aware of the breach and gain advice for next steps including the communication with your impacted customers . The good news is that for businesses handling less than 6 million credit and debit card transactions per year , to fully meet security standards requires only the assistance of an Approved Scanning Vendor and some work / awareness from your own staff . Remember , security is key to a healthy business . l FON
Marci Gagnon is vice president of strategic alliances for Qualpay . She has worked in the payments industry for more than 15 years with a concentration in recurring billing in energy businesses . Qualpay provides processing solutions to fuel delivery and service businesses with tools designed to provide real-time reconciliation and cost reduction . For more information contact Marci Gagnon at marci @ qualpay . com or visit https :// www . qualpay . com / industry / utility-and-energy
www . fueloilnews . com | FUEL OIL NEWS | JUNE 2019 45