For some, offline activity might seem like the most secure (and least intrusive) route. We all have that one friend who won’t buy anything online or use any social networking platform. And recent headlines like the massive Equifax data breach remind us that we are vulnerable to attack.
But there are also plenty of risks related to offline activities - especially offline invoicing. If you’re still using a handwritten ledger for your invoicing records, that ledger can get lost - rendering you helpless if you get audited by the IRS. And that spreadsheet on your desktop? It can be easily compromised if your computer is stolen or attacked by a virus.
Online invoicing platforms can - and should - provide a lot of protection to their customers. But you can’t assume that all cloud invoicing providers have the appropriate security measures in place. When evaluating invoicing tools, request information about the specific security features they offer. Here’s a short list of critical security features for online invoicing platforms, as well as a few bonus features that go the extra mile:
Incident response plan and notification procedure
One of the first things you should know is how an online invoicing provider will handle an incident, should it occur. If the provider is faced with a malware infection or an insider breach, what steps will they take to contain the attack? Which of their employees are responsible for specific actions? How will you as a customer be notified, and by whom?
An incident response plan and accompanying notification procedure should give you a sample roadmap on what to expect in the event of an incident. Think of it as your fire drill procedure for online invoicing.
Another initial question you should have is this one: what is the online invoicing platform doing with my business’s data? Which pieces of data will they keep? For any data they keep, will they share it with any external parties, and if so, who are they and why do they get access to my data? These are all critical inputs to understand, to protect both your business and your customers.
And there’s one answer you definitely want on your list. When you ask if the cloud invoicing provider stores any payment data, the answer should be a resounding NO. All payments made through the invoicing platform should be processed by a third-party payment platform, with zero data collection by the invoicing provider (other than the fact that the transaction occurred).
Bonus: If your customers are storing health-related information or they are EU residents, take the extra precautions and check for both HIPAA and GDPR compliance, respectively. HIPAA regulations covering patient healthcare records are currently in force. GDPR doesn’t take effect until May 25, 2018, but having that compliance in place (or knowing it is in progress) will help you rest easy.
The Payment Card Industry Data Security Standard (PCI DSS) lays out an established set of rules for protecting credit card data online. There are varying levels of protection, depending on how many transactions are processed annually. Any business looking to become PCI compliant can work with a number of third-party vendors who are authorized to certify compliance.
So why does your invoicing platform need to be PCI compliant, if they don’t collect any payment data and don’t process any transactions themselves? PCI DSS applies not only to the processing and storage of credit card data, but also to the handling of that data over networks. For any cloud invoicing provider that integrates with a payments platform, that data is passing over their networks - even if they aren’t keeping it.
Encryption: HTTPS, SSL and secure passwords
Encryption is the foundation of a secure online experience, and these protocols have become almost a requirement for authenticated websites. HTTPS, which stands for Hyper Text Transfer Protocol Secure, is just HTTP with encryption. It ensures that any transmissions between the website in question and your browser are secure. An SSL certificate is required in order for HTTPS transmission to work. And secure passwords are simply encrypted passwords.
Bonus: Two-factor authentication is yet another way to provide an added layer of security. It allows users to log in and then request an additional access code sent somewhere only the user has access to. In many cases, the code is texted to the user’s phone.
Secure inquiry process
Let’s say you need to make an online inquiry to your cloud invoicing platform. How do they know it’s really you, and not some fraudster trying to steal your data? With a secure inquiry process, you can use a platform-specific PGP key to verify your identity, and to verify any messages you receive back.
Want to learn how Invoiced meets your cloud invoicing security requirements? Schedule a demo to learn more.