May 7, 2013

The Value of the Shift4 Merchant ID

You would never think to hand over your personal checking account number to the clerk at a store, right? You’d use your debit card – a protected representation of your checking account – instead. But are you as careful with your business’ data? Just as your personal bank issues you a checking account number, your merchant bank assigns you a merchant account number. These merchant account numbers should be protected just as you protect your personal financial data.

A merchant ID number (MID) should help you keep your merchant account number private. A MID should identify your business to vendors without revealing your financial data to them.

Unfortunately, your bank (or the MSP/ISO representing your bank) may take the lazy route and choose to use your sensitive merchant account number as a MID. This is a terrible idea because a MID is designed to be shared, while your merchant account number is sensitive data that ought to be protected!

Shift4 does MIDs the right way. Just as we tokenize your clients’ sensitive cardholder data (CHD) by replacing it with a TrueToken, we provide you with a Shift4 MID in order to protect your sensitive merchant account information. Shift4’s MIDs provide a much needed layer of security for merchants since we create MIDs that are unique, numeric codes that represent your merchant account, but are in no way related to it.

Whenever possible, you should give only your Shift4 MID to your vendors to limit the distribution of your actual merchant account information; no matter how much you trust your vendors, it’s a smart move for the security of your business. This is why we supply you with a configuration report to give to your vendors when you are setting up your account. We do it to ensure they receive only your Shift4 MID and not your actual, sensitive merchant account data. To gain this added level of security, it’s important that you personally complete the initial setup paperwork (profit center forms) that we send you, as opposed to letting your bank, MSP, or vendor fill out the form on your behalf. Yes, it will take you a few extra minutes up front, but the time spent will provide an additional layer of security for your merchant account. It’s worth the small extra effort to do this yourself rather than hand over your sensitive data to people who really don’t need it.

Even internally, once your Shift4 MID is created, we here at Shift4 only allow a select few of our team members (all of whom have undergone extensive background checks) to have access to your actual merchant account information. And they can only see the amount of information that is necessary for them to do their jobs. In all other cases, we use only your secure Shift4 MID.

Why so much security? Because your Shift4 MID protects more than just your merchant account information. Since your merchant account is tied to your credit card processing, a hacker who gains access to your account number could use that information to generate false credits – taking money from your account and “refunding” it to their own credit card. Frighteningly, this can be done with relatively little know-how by anyone with a payment terminal (which can be easily and legally acquired from numerous online retailers). This type of fraud could not only result in the loss of thousands of dollars, but may also result in the termination of your merchant account.

One final benefit of the Shift4 MID is that it never changes in your POS/PMS, even if you change your bank or processor or decide to add a new card type. Many POS vendors charge hefty fees to make a MID update or change in your system. With a Shift4 MID in place, no change is necessary, which means no added cost.

Security and savings. That’s the value of the Shift4 MID.
As always, if you have any questions, feel free to contact Shift4 Support by calling 702.597.2480 (option 2).