November/December 2017 Marine Electronics Journal 37
on your behalf and order
additional equipment or change
information at your vendor. A criminal
could use this data to easily impersonate your business at that supplier or another supplier to his benefit.
This security applies to all sensitive information that is
thrown away with the trash. Dumpster diving by criminals is a
simple low-cost way to gain information and steal identities. Sensitive papers should be shredded and disposed of properly. These
business papers should never be left out for prying eyes to see,
even if accidental. Business papers may have prices, terms or
names that you would not want shared with outsiders. Even if the
paper is not stolen, a picture could be taken of the sensitive data.
I have walked into many service businesses that have a big white
board on the wall with customer names and jobs in progress, often
containing details that should be private. A quick snap with a smartphone camera can allow this business information to get into the
wrong hands or even given or sold to a competitor. Schedule boards
are a great way to run a service business but should be displayed in
areas restricted to staff.
Credit card security
Credit card numbers are my favorite pet peeve. While there is
mandatory compliance by PCI (Payment Card Industry Data Security
Standard or PCI DSS) for merchants who accept credit cards, most
credit card security is easy to maintain with some common sense. This
applies to customers’ credit cards and also to your own company credit
cards. Do not transmit credit card numbers in emails, whether plain
text, or a scanned document. Unless specially encrypted, email can be
intercepted, stored or read by almost anyone or anybody who has a
desire to get into an electronic system. I still see many businesses ask for
a credit card authorization form to be emailed; this is not a best practice
and should be avoided.
Saving credit card numbers in house or even leaving them in plain
sight within the business is not a good idea. Besides a thief attempting
to use a valid credit card for attempted purchases, a credit card number
and matching address can also lead to identity theft for your customer
or even your business.
As a business, once a customer’s credit card is processed, it should be
shredded or deleted from any and all of your systems. If you need to use
it for reoccurring payments or future payments, the PCI standard
explains the acceptable methods that meet their requirements and that
enable you to conduct business and safeguard the customer’s credit card.
Hint—it is probably best to have a PCI-compliant third party manage
this customer data if it needs to be stored and used on a regular basis—
most small-business computer systems are not set up to meet the stringent PCI requirements.
If you are using your
business credit card online,
This HTTPS security requires the website
owner to apply and pay for a security certificate that is stored on the web server.
The certificate has an expiration date and
has to be regularly renewed and updated
on the web server. This HTTPS protocol
encrypts plain text data, making it
extremely difficult for a man-in-the-mid-dle attack (like someone eavesdropping
on a phone call). Without the HTTPS, a
hacker could alter the communication
between two parties who believe they are
directly communicating with each other.
For those who want more details, PCI DSS Requirement 4. 2 states
that credit card information must not be captured, transmitted or
stored via end-user messaging technologies (like email.) Here’s why:
email leaves trails of credit card numbers in inboxes, trashes, web
browser caches, etc. As with any end-user technology, it’s extremely difficult to secure. According to the PCI DSS, e-mail, instant messaging,
SMS, and chat can be easily intercepted by “packet-sniffing” during
delivery across internal and public networks.
Side note: as I sit in my office writing this column, I received an
email from a large electronics manufacturer asking me to send them my
updated business credit card information in a reply email. I guess they
are not PCI compliant and are putting their ability to have a merchant
account at risk. I will call them if they need a credit card number but
still wonder what they will do with the credit card number and what
security they have in place.
Don’t forget paper checks
How about checks? Yes, the “old fashion” paper checks. Even bank
tellers are hard pressed to identify a counterfeit check, whether it’s
from your customer or someone committing fraud with one of your
business paper checks. Even the instruments that once seemed safe,
like certified checks, cashier’s checks, money orders and the rare traveler’s checks can easily be faked. Forgery, counterfeiting and alteration,
paperhanging and check kiting are all popular forms of check fraud.
If in doubt of a check’s authenticity, take the check to a branch of the
customer’s bank for authentication and cashing, or call the issuing
bank’s main number to verify funds. Even then you may want to delay
the exchange of goods until the check has fully cleared and is deemed
Your traditional postal service mailbox can be a target by thieves
looking for incoming and outgoing checks and other business documents. If you have a lot of incoming checks, a lock box at a bank or