For early-stage tech companies that process payments, sound data protection practices are essential not only for your business's health, but for your investors' comfort level. The stakes continue to rise: E-commerce fraud attacks increased 30 percent last year compared to 2016, according to Experian.
The recent implementation of the General Data Protection Regulation (GDPR) raises the stakes. E-commerce merchants that collect, process or store data on EEA residents — including U.S. businesses that sell or market to EEA residents by using their data — now must keep tighter control over this data, or face potentially crippling fines.
"Doing this early will help you stay protected as you continue to grow and seek new funding"
Creating an IT infrastructure and policies that support data security will provide a solid foundation for your online sales and payment processing efforts. Doing this early will help you stay protected as you continue to grow and seek new funding.
Review the following three elements of a comprehensive data defense strategy.
Any business that handles customer card data must meet the payment card industry's security standards or PCI requirements. These standards are administered by an independent group but enforced by the major card brands; non-compliance can come with fines ranging from $5,000 to $100,000 per month, with additional costs in the event of a data breach.
A good first step toward ensuring you're PCI-compliant is to talk with your bank. Some, including SVB, offers resources to guide businesses through the process. Yet because compliance is ultimately your responsibility, you should understand what it entails. Key requirements include:
- Building and maintaining a secure network and systems: Set up and maintain a firewall configuration to protect cardholder data, and monitor firewall activity to help ensure that data stays secure. Change vendor-provided default passwords and other security parameters to help thwart hacking attempts.
- Securing cardholder data: Only store this data when necessary, and encrypt it when it's transmitted across open, public networks. Limit access to cardholder data to those who need it to perform their job, and restrict physical access through locks and other means.
- Validate compliance: Once card-data safeguards are in place, verify your PCI compliance with your bank or payment processor. How you do this depends on your merchant level, which is determined by the number of card transactions you process. Talk to your bank or payment processor about how your business is categorized.
Review our checklist for more guidance on PCI compliance. And, check the PCI Security Standards Council's website for updates to security rules.
This comprehensive data protection law enacted by the European Union essentially strengthens the rights of individuals over how their information is used. It goes beyond PCI to cover any personally identifiable information, including names, addresses, email addresses and more. E-commerce merchants and other businesses that sell or market to European individuals are required to limit their data collection to only what they need to accomplish a specific task (e.g., make a sale, add someone to an email list), and to delete it as soon as they no longer need it.
GDPR violations carry steep fines: up to 4 percent of worldwide annual turnover for the previous year or €20 million ($23 million), whichever is higher. Refer to the European Commission's GDPR website for detailed information.
A few key compliance steps for e-commerce businesses with European customers include:
- Assess customer data: Understand the scope of the personal data you hold — what it is, how you store it, how long it is stored. If third parties also have access to customer data, understand how they handle it. Non-compliant companies handling your customers' data means you are not compliant.
- Request explicit consent: Opt-in requirements under the GDPR may be much stricter than you're accustomed to. If a company is relying upon consent as the lawful basis for contacting customers, European individuals must unambiguously give their consent to receive marketing emails — for example, by checking an unchecked opt-in box.
- Make data portable: Under the GDPR, businesses must allow individuals to download their data in a format that they can take to a competing service. They must provide this data within a month of receiving a request. Be sure you are prepared to accommodate this.
- Prepare data breach notifications: The GDPR gives companies 72 hours to notify regulators that their customers' data may have been compromised. Preparing incident communications in advance — for example, covering specific types of events that could impact your business — can save valuable time.
Complying with data security regulations are an essential first step — but it's important not to stop there. Having strong safeguards against fraud provides another critical layer of protection.
Online commerce fraud prevention
Sound e-commerce fraud prevention practices are a necessary complement to your data protection efforts. Fraud prevention measures help you identify and stop fraudulent transactions using payment card data that was already stolen elsewhere. By helping you avoid fraud-related losses, they also help to protect your profits.
Strong online fraud prevention practices have become particularly important for e-commerce companies since the move to EMV chip cards. These cards make it harder to commit in-person fraud but have driven up rates of online, or card-not-present fraud. Incidences of online fraud are now 81 percent more prevalent than point-of-sale fraud, according to Javelin Strategy & Research.
Mitigate your risks of falling victim by taking these steps:
- Know your customers. Where are they located, and where do transactions usually originate from? Create a purchase flow that allows you to analyze transaction data and see deviations. Make sure IP locations and credit card addresses align and be wary of expedited shipping when billing and shipping addresses are not the same.
- Use built-in fraud protection tools such as an address verification system (AVS) and required use of customers' three- or four-digit card security code. Consider additional measures such as two-factor authentication and automated transactional risk scoring, which can help to screen out fraudulent purchases.
- Train employees. Educate your employees to understand the risks of card-not-present transactions. Develop good internal practices and policies for monitoring, and make sure the team is expert in them.
Enlist your payment processor and other service providers in your fraud prevention and data security efforts. They can connect you to helpful resources and guide you through best practices as you work to implement and maintain these protections. Taking a proactive approach can pay off substantially in terms of a stronger brand, happier investors and better customer relationships.
Get started: Learn more about PCI compliance and how SVB can help your tech company through the process during our upcoming webinar, "PCI Compliance Can Avert Breaches and Fines" on Thursday, October 25th.