Due to the lock-down, are your staff processing payments at home?
The coronavirus pandemic has led to a massive change in the way we all conduct our businesses. To survive the challenges posed by the lockdown businesses and charities across the country have had to adapt their processes. One big change is the move to processing payments at home.
Restaurants and eateries have had to shutter their doors, offices have moved to remote working, retailers have taken their operations online and charities have had to find alternative ways to raise money.
For those businesses and charities trying to continue operating during the lockdown, many offices, helpdesks and call centre environments now have individuals working from home.
Businesses have got creative during the lockdown in an attempt to survive, from charities accepting donations over the phone to restaurants offering gift cards for use once the establishment reopens and retailers selling their products via social media and online platforms.
Challenges with phone payments
If your staff have begun to accept donations or payments for goods or services over the phone, then you should be aware of some potential Payment Card Industry Data Security Standard (PCI-DSS) and personal data protection challenges.
However, there are some things you can do to minimise the risk to personal data and continue to meet PCI-DSS requirements even while processing payments from home.
If you are able to redirect callers to a web-site to make payments, then that is ideal as the payment information will never be in the home environment, but we understand that that may not always be feasible.
Securing your router
When you process payments at home, you might be taking Cardholder Not Present (CNP) payments using a physical terminal, connected to either a phone line or your home broadband.
With this type of payment processing from home, there isn’t a great deal you can do or need to do, about the security of a dial-up terminal connected to your phone line.
But, for an internet-based terminal, the router should not allow remote support via the internet. And for optimum security, you need to ensure you have the firewall switched on. If the router supports wi-fi then you must ensure the connection is encrypted using WPA2-PSK AES encryption and a strong password.
One important consideration when processing payments at home is the correct handling of and storage of payment records.
If the terminal you use for payment processing prints paper vouchers, these must be stored securely for your records. The best place store these types of records is in a safe if you have one, however, any other appropriately secure storage option is also acceptable.
These days, most terminals no longer print the full card number on any receipts or vouchers. But, if yours does, you need to be especially careful in storing the vouchers printed by your payment terminal. They should be destroyed by incineration or cross-cut shredder at the earliest opportunity to avoid risking the security of your customers by anyone accessing their card details.
Of course, if you are a small business or charitable organisation, you will often have a limited number of physical terminals that multiple staff would share the use of.
But, with processing payments at home, if you have multiple people needing to process payments from more terminals than you currently have, then a Virtual terminal such as RSM 2000’s CPTerminal may be the answer.
Precautions to take
Even so, when using a virtual terminal, some precautions are required:
1. Ensure PCs are installed with anti-malware software that runs automatically and the user is unable to prevent the scans or amend the settings, and collate logs centrally.
2. PCs should have a locally installed firewall configured to block unauthorised traffic.
3. Users should not have the ability to install, remove, or reconfigure applications, access administrative functions, or use USB memory drives.
4. Ideally, connect by cable to the router. If wi-fi has to be used, ensure it is encrypted using WPA2-PSK AES encryption and a strong password.
5. Make sure users know they are not to write down or retain sensitive information in any form; get them to acknowledge this.
6. PCs should have a password-protected screensaver that activates automatically after a period of inactivity; users should lock PCs if left unattended.
If you would like further information on CPTerminal, please Contact Us.