We all know that any process involving humans is subject to human mistakes. When your staff works with and processes credit and debit card payments, as many employees in financial institutions do, there's room for human error—in addition to intentional fraud—in the event that employees mishandle card data with no ill intent. However, these careless actions are data security violations, which can lead to fraud and improper charges to your customers' accounts.
Enforcing policies that direct employees in necessary actions provides a number of benefits:
Ensure your financial institution is mitigating the potential for errors when employees process card numbers
Protect your institution's reputation as a trustworthy financial partner
Protect customers from the possibility of card data misuse and fraud
Fortunately, you don't have to start from scratch. Here are four best practices for employees who process payments.
1. Train employees on industry requirements, standards, and regulations
There are a number of standards and regulations available from industry officials and experts. PCI DSS, AML, and UDAAP are three of the most important. Ensuring your staff understands and follows industry regulations will minimize their chances of committing fraud themselves or leaving the door open for others to commit fraud with your institution's data.
PCI DSS: One of the most powerful industry standards addressing card data security is the Payment Card Industry Data Security Standard (PCI DSS), which is a set of standards agreed to by major credit card companies. All companies that accept, process, store, or transmit card information should establish and enforce the processes dictated by the PCI DSS to ensure the security of card data for all card holders. The step-by-step guide to PCI DSS requirements is available online.
Anti-money laundering (AML) regulations: Your financial institution is required to set up systems that detect and report money laundering or efforts to conceal money obtained through criminal activity. One of the best ways to combat money laundering is to make sure your employees are knowledgeable about and in compliance with the Bank Secrecy Act, which addresses suspicious activities and identity verification of your institution's account holders when they conduct transactions.
UDAAP regulations: As a provider of consumer financial products, your financial institution is legally barred from unfair, deceptive, and abusive acts and practices (UDAAP). While "unfair, deceptive, and abusive" sound subjective, the Dodd-Frank Act provides clear definitions of each and outlines ways to minimize any risk that your institution will run afoul of the regulations.
2. Restrict employees' cell phone access
With most smartphone users easily able to record audio and video, snap and share photos, and store data on their mobile phones, personal cell phones must be restricted in any work area where employees have access to credit or debit card and other financial data. Institute and communicate a cell phone policy for card processing employees. Here are some good guidelines:
Employees cannot use personal cell phones or tablets in any manner while in the work area. If employees don't cooperate, this policy can be enforced by requiring employees to store their personal electronics in a locker before reporting to their work stations.
Employees may use their phones in non-work areas, such as break rooms, and when leaving their workstations on scheduled breaks.
3. Implement a clean desk policy
A good way to safeguard sensitive information is by implementing a clean desk policy, which prohibits employees from leaving any papers or electronic media in unsecured, plain-sight areas when they leave the office. Think of how easy it is to jot down an account number or other confidential piece of information on a notepad, then set it aside. Without following a daily policy of clearing your desk before you leave, there's a good chance you'd leave that note for others to view when you leave the office. To reduce the chance that your employees will accidentally leave account holders' confidential data in others' view, consider implementing guidelines like these:
Employees must remove all papers, notes, and electronic media from their desktops and other unsecured workstation areas when leaving for extended breaks and at the end of each workday.
Sensitive data must be stored in locked locations as directed by your financial institution.
Paperwork with customer or other confidential data must be shredded or disposed of in a locked shredding bin.
4. Impose limits on payment processing amounts
As an additional protective measure, consider imposing transaction limits on the dollar amounts your institution's employees may process. You'll limit your financial institution's exposure by requiring that managers approve payments in excess of those specific amounts. We recommend setting graduated amounts, so that employees with longer tenure and at higher job levels are able to process higher amounts than new, unproven employees may process.
For an example, let's say John was recently hired to take payments via phone. One day, John processes a complete payoff on a $10,000 car loan. Without any processing limit requiring John to seek his manager's approval, this payment would be processed immediately. If the borrower is using ill-gotten funds to pay off this loan, John's employer would be held accountable for putting through an improper payment. By requiring a manager's approval, John's employer is much more likely to catch a problematic payment before it's processed.
Once you have processing amount limits in place, establish a regular (such as monthly) schedule for reviewing all payments. Any payment in excess of stated processing limits and not approved by a manager is a red flag to suspicious activity.
While no amount of rules will remove the element of human error from all transactions, directing staff in proper procedures goes a long way toward minimizing potential fraud and innocent mistakes that can prove harmful to our business and account holders. By enforcing the policies above, your financial institution will be well on its way to safeguarding your account holders' valuable financial information and data. To learn more about regulations and the current state of the payments industry, check out our latest ebook.