Article

What’s in Their Wallets?

Your customers trust you with their credit card numbers. Expert lays out a plan to safeguard their information and protect your store in the event of a Target-style data breach.

March 2014, Auto Dealer Today - Feature

by Chad DeKing

Having customers swipe their own credit cards is one of several steps you can take to help safeguard their personal data — and your dealership. 
Having customers swipe their own credit cards is one of several steps you can take to help safeguard their personal data — and your dealership. 
The news lately has been dominated by headlines about credit cards; specifically, the very real risks associated with how credit card transactions and data are handled by businesses. In December, we learned that millions of Target shoppers’ card numbers might have been compromised by a massive data breach. This is an ideal time for dealers to collectively examine the risks and best practices of payment transactions.

Because the automotive industry conducts most of its service business with credit cards, it is imperative that dealers better manage the risks associated with them, and become more intimately familiar with Payment Card Industry (PCI) standards and best practices. It is no small subject. However, as with most things, a review of the fundamentals is the best place to start to help your staff become more security conscious.
Security Standards

The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 to manage the ongoing evolution of PCI compliance. The council had a singular goal of improving payment account security throughout the transaction process. Visa, MasterCard, American Express, Discover and Japan Credit Bureau (JCB) founded the PCI SSC to work with banks, merchants and payment industry suppliers to develop and implement security standards. The Payment Card Industry Data Security Standard emerged from that process. PCI DSS is designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.

Every dealer should be concerned about PCI DSS. If a security breach occurs and credit card information is stolen, the dealership and any of its suppliers that interact with the credit card data are responsible — and accountable — for the breach. The payment brands may, at their discretion, fine the bank that underwrites the dealership’s payment processing, which can be thousands of dollars per month for PCI compliance violations. The bank would most likely pass those fines downstream until they eventually hit the dealership and its owners. The bank also could choose to significantly increase the store’s transaction fees or even terminate their relationship with the dealer.

Penalties are not often openly discussed or widely publicized, but they could be catastrophic to a dealership. Even more important is the impact on your customers. They will most certainly question whether they should choose to do business with you again, and bad news travels quickly.
Ensuring your dealership consistently maintains strict PCI compliance can be a complex process; however, implementing four PCI best practices can make it much simpler:

Never store credit card information. That file drawer or computer folder containing credit card numbers places your dealership at tremendous risk. Never keep a customer’s credit card number in any format, be it electronic or paper.

Never ask your employees to handle a credit card. The moment an employee takes possession of a customer’s credit card — even just to swipe it through a payment terminal — you have granted that employee access to sensitive cardholder data. Your customers should swipe their own cards.

Never store credit card information in your own system. Suppliers within the payment card industry can take the responsibility for processing credit card data and storing cardholder data if necessary; when you store the data on your own system, your risk increases significantly.

Select a PCI-certified supplier. As of July 2010, the PCI SSC requires all merchants using third-party software to validate that their suppliers’ applications are PCI-certified. Look for payment systems which utilize updated security methods such as tokenization and end-to-end encryption.

All dealers accept credit cards. As a result, you take on the risks and responsibilities associated with processing those transactions. The starting point for ensuring your store is adequately shielded from these risks is to become familiar with the PCI standards and make PCI compliance part of your day-to-day operations. Use payment industry suppliers that reduce your risk as much as possible so that you can stick to what you do best: selling and servicing vehicles.

Chad DeKing is the managing partner of SwervePay Sales & Service LLC. He has more than 30 years of experience with expertise in the convergence of technology, operational data and customer data.
[email protected]

Comment

  1. 1. Kyle Merritt [ February 12, 2015 @ 07:13PM ]

    My dealership, daily..SEVERAL TIMES A DAY allows our sales staff to take credit card numbers ia phone without proper customer authorizations (proper paper form that can be faxed or e-mailed to client for their approval and verification). These transactions are primarily used to "HOLD" certain auto's until said client can visit store and properly execute a purchase transaction. I have tried to introduce this card payment processing authorization but have been "rebuffed" because it is "too much work" We have had complaints about unauthorized charges, and these salespeople routinely hold onto "post-it's" with credit card numbers on them, write these vard numbers on manila file folders that contain other sensitive doc's, etc. I would appreciate input on card taking (vi phone) best practices, and any advice you can muster for a proper transaction.

 

Your Comment

Please note that comments may be moderated. 
Leave this field empty:
Your Name:  
Your Email:  

Blog

On-the-Point

Jim Ziegler
Objects in the Rearview Mirror

By Jim Ziegler
The past is right behind us and the future is coming fast. The Alpha Dawg plots a course for your store’s success and shares advice for Elon Musk, Johan de Nysschen, and pre-owned managers.

The Big Talent Drain

By Jim Ziegler
The Alpha Dawg tackles the shortage of talent in the managerial ranks and reflects on Amazon’s rumored foray into vehicle sales, the imminent used-car correction, Hyundai’s plan for the Genesis brand, and the untimely passing of Tammie LeBleu.

A Faster Horse

By Jim Ziegler

Strangers in the Mall

By Jim Ziegler

Opening Observations

Over the Curb