Smartpay : The security smarts in your EFTPOS terminal that keep payments secure

Data security is a hot topic - listening to the news it seems that payment card security breaches and credit card fraud is on the rise, particularly in the United States. A merchant recently asked us about the security of transactions on their Smartpay EFTPOS terminal after reading an article involving a breach on terminals in the US. Natasha Ching, one of the Product Managers in our Technology Team, explains why Smartpay customers can have confidence the security of our payment solutions.

Are the bad guys winning?

If you look at the media coverage you might think so! They're not winning, but the rapid growth of card payments means the whole playing field has increased, so they're not going away either.

Keeping your business secure is our number one priority. Our software applications and terminal hardware are constantly evaluated against local and global security standards.

Could it happen here?

The payments infrastructure varies from country to country. There is a vast difference between the point-of-sale and payment landscape in New Zealand and the United States - for one they've only just started promoting chip and PIN cards over magnetic stripe and signature verification in the last few years.

There are even differences between us and our closest neighbours, Australia. However, one of the good things about both of our payments industries is because we are smaller we have less payment processors and other third-party service providers handling our payment data. Less people in the chain means we can collaborate to ensure we have robust security practices in place. The recent nationwide EFTPOS terminal upgrade was a direct example of our collaboration with Paymark to help keep everyone secure.

What sort of security does Smartpay use?

Our EFTPOS terminals do most of the heavy lifting for you, they are equipped with several built-in security features to prevent both hardware and software tampering. Our terminals are compliant with the latest software, and are certified by Payments New Zealand (who manage and govern the New Zealand's payment systems) and Paymark (New Zealand's payment network). The hardware and software is developed to strict security standards to keep credit card data safe before it even leaves the terminal.

When you use your terminal to take a card payment it sends off the card and purchase data to make sure the customer has funds and that you get paid. Sounds simple, but there's a lot being done under the hood in the short amount of time you and your customer are waiting.

Each time you take an EFTPOS payment, transaction data is scrambled before it even leaves the terminal. Once it is sent over the network, Paymark use Point-to-point encryption (P2PE) standards to protect the data as it moves through the authorisation process and ultimately returns a response to your EFTPOS terminal.

Another issue faced in the US is that some merchants hold unencrypted payment card data in their systems. This is what the hackers want and why they get the security breaches we hear about. Smartpay integrated solutions are designed smarter. Our integration product interfaces simply send requests and receive responses without the need to for the POS to transmit or ever handle card data in the clear.

What can I do to stay safe?

If you are processing or storing credit card information in your business you are responsible for card data security. Here are a few tips to keep your business and customers secure.

Make sure your EFTPOS terminal software is certified and up-to-date.
If you lease a Smartpay terminal we will help you with this by providing remote software updates and hardware upgrades when required.

Keep your EFTPOS hardware safe.
Make sure it can only be used by authorised and trained operators. Verify and supervise service technician visits. Physically inspect your terminal regularly to check for tampering or unidentified additions.

Respect card data.
Have a policy for how to handle credit card information. If you must collect or store credit card data make sure it is held securely in a locked container or secured computer file. Do not store full card data in one place. Only provide access to the people who really need it. Do not keep data for longer than is necessary and always dispose of card data carefully and thoroughly.

Keep your electronic equipment and Internet connection secure.
Use up-to-date anti-virus software. Always change passwords from their factory defaults. Use strong passwords that include a variety of characters and update them regularly. It is not recommended to use unsecured networks or public Wi-Fi for your payment processing devices.

Surveillance cameras.
If you have surveillance cameras installed, ensure they cannot inadvertently capture your customer's PIN entry process.

Stay alert.
Make sure you and your staff are alert to possible card fraud and suspicious behaviour.

If you are unsure about your responsibilities or have questions about Payment Card Industry Data Security Standards (PCI DSS) compliance contact your merchant bank for further information and advice.