Stephanie Hooper, who owns distributor Bayside Specialties, Inc. with her husband Darrell in Burlington, Washington, found out a few months ago that the company credit card had been compromised. It was not the first time the card had been used fraudulently—in fact, she says, she has to notify her bank and replace her company credit card two or three times a year because of the recurring problem.  

“We have had fraudulent charges ranging from $12 to $2,500 for a hairdresser, pharmacy, dating service, rental agency, and most recently, a $110 charge at a burrito restaurant in Florida,” she says. “We live in Washington state and did not order $110 worth of burritos from Florida. Fortunately, our credit card provider does not hold us accountable for these charges.”  

She says she and Darrell have been taking all the precautions they can to try to isolate and eliminate the problem—such as using one credit card exclusively for supplier orders—but it persists. She believes it’s an issue many small distributors struggle with. 

“We have net 30 with most suppliers, but many want a credit card,” she says. As an alternative, she often issues a check, but it takes a bit more time to process a check and extra time is one thing neither distributors nor suppliers can spare. 

The couple have not been able to narrow the problem down to any specific companies and have not changed vendors because of it. However, the tipping point came recently when Hooper called a supplier to place an order, gave a new credit card number and explained why her number had changed. “The person on the other end said, ‘I have a lot of distributors who tell me that.’”

Credit card fraud is a growing problem for consumers and businesses alike. In the first half of 2017, there were 791 data breaches reported in the U.S., a 29-percent increase over the same period in 2016. That year, losses due to credit card fraud topped $24.71 billion, according to the Nilson Report. The Federal Trade Commission (FTC) reports that Florida leads the nation with 300,000 fraud complaints filed in 2015; Georgia and Michigan come in second and third, respectively.

During a recent panel discussion among data security experts, it was revealed that insiders can pose more of a threat to a company’s data than outsiders because of their access to information. According to an article in Data Insider, if an employee wants to steal or leak information, they can usually do so far more easily than an outsider. They can also accidentally leak credit card information, putting customers at risk. One panelist also stated that, from a practical standpoint, any sizable organization is likely to have unhappy employees, who therefore have a motive to mishandle customer credit card information. 

Knowing how easy it can be for card information to be shared and misused, distributors need to be vigilant to minimize their exposure:

1. Never write a credit card number on a purchase order.

2. Never send a credit card number by email, fax or text.

3. Provide your credit card number by phone only to a specific person who is handling the order. Ask for that person’s name and ask him or her not to repeat your number as others may be listening.

4. Check your credit card statement frequently to look for any questionable charges, and follow up immediately with your bank.

5. Maintain one credit card for product orders; it’s easier to manage the security and to solve problems if the card is compromised.

The safest way to provide suppliers with a credit card number is to enter it online when making a purchase, says Dale Denham, MAS+, Geiger chief information officer. “It is far easier to put your credit card in online than to give it to someone over the phone, especially if the merchant is PCI compliant (see sidebar on page 22). A PCI-compliant merchant employee almost never sees or has access to the credit card number. Geiger allows and encourages our customers to pay their bills online rather than call in.”

How Suppliers  Protect Customer Data

While distributors who place orders using credit cards must take careful measures to protect their numbers, much of the burden also falls on suppliers to safeguard that information. 

Harvey Mackler, MAS, president of supplier GEMPIRE/GWI, takes several steps to protect his customer’s credit card numbers. “When we accept the card information, we enter it into a PCI-compliant system coordinated with our merchant credit card processor, which happens to be one of the country’s largest commercial banks. We do not keep numbers on file,” he says. “If they are on an order, we will black them out after a one-time use. After the order is processed, we shred it.” 

His advice to distributors is to use caution. Do not include the credit card number on a purchase order or an email; give it over the phone. Suppliers should also monitor who can receive such information from  a customer. 

Tony Greenway, credit manager at Edwards Garment, uses a credit card processor so all the company’s client information is stored on the processor’s gateway. The data is also encrypted, and the company has a policy not to exchange or forward credit card data by email.

He recommends suppliers not store any data on their servers or in a hard copy file. If that’s not an option, limit accessibility to authorized personnel only and have a written policy outlining who has access to the data.

Last fall, SAGE introduced Stripe, a leading payment provider, as its new payment processing service. Available to suppliers and distributors, it provides the benefit of Stripe’s easy-to-understand fee structure and the added security of SAGE’s integration solutions. Companies can take customer payments by using the SAGE secure online website, SAGE Mobile or, as part of the new SAGE Online v.14, they can charge cards directly from within the program. End users can also safely and securely send invoice payments through a participating distributor’s website using the “Pay My Bill” feature.

The service takes the place of other payment processing services that companies may subscribe to and is charged per transaction with no monthly fee. “We make it very simple for anyone in the industry to process credit cards safely and securely, and do so by leveraging technologies and services we already have in place,” says Jarod Thorndike, director of business development at SAGE. 

Security Best Practices

The Federal Trade Commission urges companies to follow these practices to protect customer data:

  • Take stock. Know what personal information you have in your files and on your computer. Understand how personal information moves into, through and out of your business and who has access—or could have access—to it.
  • Scale down. Keep only what you need for your business. That old business practice of holding on to every scrap of paper is obsolete and dangerous. Unless you have a legitimate business reason to keep personal identifiable information stored in your files or databases, get rid of it.
  • Lock it. Protect the information you keep. Be cognizant of physical security, electronic security, employee training and the practices of your contractors and affiliates.
  • Pitch it. Properly dispose of what you no longer need. Make sure papers containing personal information are shredded so they can’t be reconstructed by an identity thief.
  • Plan ahead. Draft a plan to respond to security incidents. Designate a senior member of your team to create an action plan before a breach happens.

Hooper’s hope is that bringing up the issue will help create awareness of an industry problem she’s not heard talk about before. 

“I feel like we have been responsible and done everything possible on our end,” she says. “Even then, it happens.” 

---

How PCI Compliance Adds Security 

PCI (payment card industry) compliance is a set of rigorous requirements administered by the Payment Card Industry Security Standards Council. Its purpose is to increase controls around a business’s security for credit cards and reduce credit card fraud. PCI compliance is not a technical term and is not limited to credit card processing—it permeates through a number of business processes. Geiger is one industry company that is PCI compliant.

“Compliance is important because a merchant can be held liable if the merchant credit card information is breached,” says Denham. “Even if liability is not imposed on the merchant, the loss of trust from customers could damage the brand.” He says the process of becoming compliant is intense, and it takes months of work and a significant investment to properly follow the guidelines. “No matter how good you feel about your security, once you go through PCI-compliance efforts, you will realize you were not very secure and you’ll be glad you went through the process.”

For small businesses, the easiest way to be compliant is to ensure credit cards are entered into a third-party system that is PCI compliant. “This way all information is put on a PCI-compliant server. However, many merchants process the card locally and send the data to the server. Therefore, in most cases merchants must implement all other controls for equipment that involves the PA-DSS certified software,” he says. Even companies that take a customer’s credit card verbally must enter it into a PCI-compliant system. 

Learn more about the requirements and benefits of PCI compliance at www.pcisecuritystandards.org.

---

Tina Berres Filipski is editor of PPB.