"As the windows of opportunity narrow in the arenas that attract the greatest notoriety, such as e-commerce and Internet raids on repositories of consumer data, small business enterprises become more and more attractive to the organized, professional rings who specialize in this white collar crime.

"The news is ripe with stories every week of small businesses that were targeted. Even a dozen records in the wrong hands can result in tens, if not hundreds, of thousands of dollars worth of misery for the consumers who suddenly find themselves responsible to unravel the bureaucratic nightmare induced by identity theft."

Lehman noted that it is relatively easy for people intent on crime to gain access to customer data from companies who are still capturing the cardholder's information by writing it down or imprinting cards. The problem is first compounded by the fact that the vast majority of these enterprises do not see themselves as targets and secondarily, they do not believe they are vulnerable until it is too late, he said.

The problem of identity theft is not germane to the United States either. "The issue is global in proportion and a highly visible fraud incident can seriously damage consumer confidence in giving credit card information to a violated merchant," said Steve Cochran of Semtek Innovative Solutions, San Diego.

Companies that do not take necessary precautions to protect customer information and verify customer background information are subject to chargeback from banks and credit card companies.

"Chargeback occurs when a cardholder's credit card details are used to purchase items without their authorization," said Richard Howell of Commerciant L.P., Houston.

"This generally involves online companies, who often cannot verify that the person entering the details on their site is the actual cardholder.

"When the cardholder becomes aware of the activity, they usually notify their bank, who are likely to refund almost all of the costs. These costs are then passed back to the company involved as a chargeback, effectively a penalty for accepting the transaction without proper verification of the purchaser's identity."

TAKING NECESSARY STEPS TO PROTECT IDENTITY THEFT

Lehman believes that most companies can benefit from using these devices, which encrypt credit card information, and are designed to effectively shield sensitive and private customer names, account numbers, and contact information.

"The fact is that most companies could not only prevent this exposure by adopting a wireless platform immediately; they could actually reduce their processing expense in the process," he noted.

"The hardware pays for itself from the onset. Those who lease their systems have no upfront cost, so there is no budgetary reason to delaying implementation."

John Pelizon, of Ace Pelizon Plumbing, Sewer, and Electric, Covina, Calif., said that his people know most of the Pelizon customers. Having a card swiper just adds to the security.

"We do mainly residential service work and we usually know who we work for," he said. "If the name on the card does not match the name that we are working for, we are concerned and start asking more questions. Now that we swipe the credit cards, we no longer write the card number on the service orders like we did in the past.

"Being able to swipe the credit card in front of the customer is a big plus."

There aren't any eyes seeing credit card information when using these wireless machines - and that is a good thing according to one contractor.

"The privacy of the credit card is built into the system because it is swiped and the card number is not called in for someone else to hear the number," noted Ellie Bastian of Kel-Aire, Rodeo, Calif.

Using a paperless system to approve credit cards and checks is another way to keep employees honest, too.

"Skimming occurs when an unscrupulous employee at a legitimate merchant takes a second copy of the card details on the magnetic strip before processing the payment through a point-of-sale terminal," said Howell. "This copy of card details is sold on the black market to fraudsters who clone the cards."

Cochran has words of caution for customers and business owners. "The advice that we give is to make sure that systems they are using - online, wireless, and store point-of-sales - adheres to the Card Association security standards and that their credit card data is encrypted before it enters the payment system infrastructure," he said.

"To protect against identity theft and credit card fraud, Semtek's Mobile Swipe solution encrypts all credit card data in the card reader when the card is swiped before card data is passed to the cellular network."

The machines that swipe and encrypt credit card and check information are effective tools for fighting identity theft, but machines are only as good as the people who operate them. That is why business owners like Bob Etingoff of the Sansone Corp., Deerfield Beach, Fla., ensures that employees are trained and knowledgeable regarding proper security measures.

"Only employees who have a need due to their job description are allowed to accept credit cards, and only after proper training has been accomplished."

Lehman commented, "It is possible to take precautionary steps to dramatically reduce the potential of both internal and external theft of customer data. Any time you allow a single employee to accept payment from your customers, exposure becomes a possibility. It is not a question of possibility, but of probability."

He said that contractors who choose not to use a wireless platform to accept credit cards or checks should take the following measures:

1. Do not call in data from field to office personnel. Adopt a system or paperwork drop at the office for authorization. Cellular voice transmissions are insecure.

2. Limit the number of personnel who have access to this data.

3. Keep all paperwork that contains customer data under lock and key.

4. Chargeback rights expire after 18 months. Shred documents on a scheduled basis once they are no longer needed.

5. Audit procedures to ensure policy adherence.

"We make sure that anyone with the authority to accept and run our customer's credit cards are fully trained," Etingoff noted. "In today's world of credit card and identity theft, it is very important for our customers to feel confident and secure when they give us private information.

Publication date: 05/15/2006