If your customers and employees don’t trust you to keep their financial information secure, your business will suffer, possibly even fail. Recent reports indicate that, “Up to 60% of small businesses fold within six months of a cyber-attack.” You never want to be responsible for identity thieves stealing a customer’s credit card information or gaining access to one of your company’s bank accounts. There can be no room for error when it comes to keeping payment information secure. Every business, no matter its size or industry, has payment information to protect. If you accept money for services, or make payments to vendors, your records contain data that thieves could exploit. Proper data destruction is essential when it comes to protecting sensitive data.
Data Destruction Best Practices: Protecting Payment Information
Keeping payment information secure is not just a matter of data security best practices, but may also be a matter of law. Some of the payment information in your records constitutes personally identifiable information. PII includes any information that could be used to identify the person it belongs to. For example, a receipt that has a customer’s name and part of a financial account number could be considered PII.
There’s no federal U.S. law that requires all businesses to protect PII. Some states have their own laws around PII security, which are designed to protect the privacy of state residents. That means that businesses with out-of-state customers may be required to protect those customers’ PII by the laws of their home states.
Here in Massachusetts, 201 CMR 17.00 protects the personal information of all Commonwealth residents. Under this law, “personal information” includes any combination of a resident’s name and financial account number. Any business that owns or stores such information about a Massachusetts resident is required by this law to safeguard that information in both paper and digital forms. These businesses must protect such records from being accessed by outsiders, and ensure that all personal information is thoroughly destroyed when it’s no longer needed.
Depending on where you’re located and whose payment information you handle, you may be governed by laws in one or more states—but don’t worry about researching all state laws about PII security. As long as everyone within your business is diligent about data security and data destruction best practices, all your payment information should be well protected already.
So how can you keep all your sensitive data secure, including payment information?
- Refresh (or create) your data destruction policies. Hopefully, your business already has a robust data destruction policy. (If not, let this be your reminder to create one!) It’s been a chaotic year, and reviewing your data destruction policy may have been low on your to-do list. It’s worth reading through any policies you have around data destruction now. Make sure these policies include language around handling payment information, especially if you have any employees who work remotely and have access to this information. Creating and sharing information about data destruction best practices can prevent remote employees from making careless mistakes, like putting printed documents in their personal recycling bins for curbside pickup.
- Make sure you understand how digital payment information is being stored, managed and destroyed. Unless they’re tech people, business owners and managers are often unfamiliar with the details of their own digital security measures. It may be necessary to just trust that whoever manages your systems is doing everything correctly. If that sounds like you, consider asking your IT person to walk you through all the current procedures around payment information.
- Create data destruction timelines for payment information. Being proactive about data destruction and data security doesn’t mean shredding everything. Your business needs to keep certain kinds of documents in case you’re ever audited. Timelines vary depending on what kind of records you have, so speak to your accountant if you need help determining how long to keep things like receipts and invoices. Once you know how long each kind of record should be kept, you also know when it’s safe to destroy obsolete records—no guessing required.
- Shore up security practices for physical files. Because you should keep certain kinds of financial records for up to seven years, make sure any physical files containing payment data are stored behind several layers of security. Any document that contains financial information about anyone should be locked away and only accessible with your approval.
- Have a data destruction plan for payment cards. Business credit cards help you keep your business running smoothly, but they can also be a liability. The more employees who have their own cards, the greater your risk. Check that your data destruction plan addresses the proper handling of payment cards. Payments cards that are no longer active should be shredded.
Northeast Data Destruction is here to meet all your data destruction needs. Our NAID “AAA” certification demonstrates our ongoing commitment to the security of our customers’ most sensitive data, including payment information.
If you have any doubts about the security of your business’s payment information, you can’t afford to put them aside. I’m happy to answer any questions you have about data destruction. Contact me today!