1. You can’t afford a data breach.
I was actually one of the people that was involved in the Target Black Friday data breach — in fact, I shopped there twice during the time period, and used two different cards in those trips, so you can imagine my card replacement experience was a real joy. I also shopped at Michael’s during their data breach period, so I’m super excited about that as well. Do you think I will think twice about doing holiday shopping at both of these places? You bet.
But consumer confidence (and the lost sales from it) is only half the problem when you have a data breach. I saw this picture when I walked into Target last week (for the first time since last November, by the way):
Can you afford to not only pay for damages and fines created by a data breach, but to buy a year of credit monitoring for every single one of your customers?
2. You don’t have a team of programmers working on your site.
If hackers can get through the defenses at Target and Michaels, who both have the resources to have pretty robust security systems that are hosted on private servers, what do you think they will do to your little site on your shared webhosting? Even if you purchase a SSL certificate for secure browsing or transactions on your site, you can still be vulnerable if the back end of your site isn’t properly secured and maintained (which happens often on shared hosting).
3. You’re not a security expert.
When the Heartbleed Bug came out recently, most business owners I talked to had no idea what this was all about. In fact, I received so many questions that I wrote this post to straighten out some of the confusion around the issue. If the top programmers took a while to fix this, and you don’t understand what the issue was… should you be storing any data that you can not be absolutely sure is secure?
4. Even I "Leave Data Storage to the Professionals"
I don’t store any financial data, nor do I process any credit cards directly through my site. I rely on services such as Infusionsoft and Paypal to assume the liability and financial responsibility of my transactions. Think about it — even companies like Ebay and Etsy outsource their payment options, so there is no reason why you shouldn’t too.
5. Security Compliance is Confusing
Do you know what data is considered sensitive and what data can be submitted by plain text? Do you know how to make your business compliant? (Here’s the 34-page "Quick Guide" in case you’re curious.) Do you stay in touch with all the current trends and issues in security and compliance? If you answered no to any of these, you should probably avoid storing or transmitting sensitive financial data yourself.
What You Should Be Doing Instead
If you’re ready to admit that you are not the best person to be storing financial information, and you don’t want to assume the risk and the liability, follow these tips to avoid problems:
- Use a Third-Party Payment Processor
Companies like PayPal, Stripe, and Square keep your customers’ data safe by making the transaction on their site and only submitting back a message of success or failure. You get paid, your customer keeps their information safe, and non-sensitive information like a shipping address can be sent to you to complete the transaction. - Don’t write down credit card numbers for later use.
If you need to make a sale at an event, don’t record a credit card number for later use — have the customer pay instantly with a card reader from Square or PayPal. Not only does it keep your customers’ data secure, it gives you instant feedback on the payment so you don’t have to find out later that the card won’t work. - If you take credit cards over the phone, enter them directly.
If you have an advanced payment account, such as PayPal Virtual Terminal, you can charge credit cards manually for payment. By typing the information directly, you are avoiding liability for writing the number down AND you’ll instantly know if the payment will go through. - If you process payments on your site, use SSL
If you are using a 3rd party processor but the transaction originates on your site (such as the setup you would get using Gravity Forms and Paypal), you will need a SSL certificate. Contact your developer or hosting provider for one, and ask them what else you need for your site to be compliant. A safer option would be to use a checkout service that looks like your site but is actually hosted on fully-compliant, secure servers (like this one). - Delete any financial information in your e-mail.
If a client sends you any sensitive information through e-mail (such as logins for financial institutions or account numbers), make sure you delete it right away and flush it from the trash — in case anyone ever gets into your e-mail or steals your mobile phone. - Use strong passwords.
Create strong passwords for yourself and encourage your clients to use them. - Protect your mobile devices.
Do you do mobile computing with a phone, laptop or tablet? Password-protect all of them and look into the ability to remotely wipe your data if your device was ever stolen so that you will keep client information (and yours!) secure.
Good luck and stay safe!
Questions? Feel free to ask below!