TABLE OF CONTENTS
Properly storing credit card information can be tricky, as data breaches can be detrimental for both the customer and the business that’s been hacked. Stealing credit cards and other sensitive information can almost feel like a personal attack. It causes businesses to lose the trust of their customers and may even require legal intervention. However, in today’s increasingly contactless world, allowing customers to make credit card purchases is a must. The pandemic has increased the use of credit cards and exploded the eCommerce market in the United States.
If your business accepts credit cards, you have an obligation to safeguard your customer’s credit card information. In the contract you signed with your processor, you agreed to comply with industry data security standards. A good payment provider has the technology and processes in place to meet these compliance requirements. Likewise, you also have responsibilities to ensure your business is appropriately safeguarding your customer’s information. Things like how you store credit card information, the equipment you use to do it, and the service providers you partner with. Read on to learn how your business can employ best practices for storing credit card information.
Storing Credit Card Info
Events like the Equifax data breach are a reminder of how important it is to securely store credit card information and other personal data as a business. If you run a recurring or subscription-based business, you need to store credit card info routinely. Your merchant service provider is the best place to start finding a solution. They should have services that can store your customer’s credit card information as well as data security tips.
Considerations for Storing Credit Card Information
There are many different aspects of data security to consider when running your business. When you store credit card information you run the risk of data breaches and fraudulent activity. While we’ll cover the simple things you can do as a business owner to keep card information safe, there are certain measures your processor will have you complete. These measures are imposed anytime you begin processing credit cards in the U.S.
Upon securing a merchant account, you must follow the Payment Card Industry’s Data Security Standards to securely process card payments. These standards are a framework the PCI Security Standards Council developed and updates as necessary. They are the minimum requirements you must follow to protect cardholder data. For example, the only way to store data under the PCI DSS is on PIN devices and payment applications that have been certified by the Payment Card Industry Security Standards Council. Businesses that choose to forgo PCI compliance are subject to penalties like the PCI non-compliance fee.
This may seem confusing, but you don’t have to figure this out yourself. Simply talk to a certified payment processor for more information.
5 Best Practices for Storing Credit Card Info
Now that you know the importance of properly storing credit card information, it’s time to put this knowledge into practice. Below are some helpful best practices when it comes to storing customer information.
1. Never Store Credit Card Info in Compromising Places
Writing down and storing credit card information on paper should never happen. Even if you shred the information later, this is all around a bad idea. Likewise, Google Drive, Dropbox, and other online storage platforms are also never secure ways to store credit card information on their own.
If your business keeps all your customer information in CRM profiles, don’t use it to keep credit card information as well. While it may be convenient to have all your customer’s information in one place, it’s a highly insecure option. You either need a system with a secure vault to keep this information or the ability to use a separate software link to access it when necessary.
2. Ensure Data is Encrypted
When you store credit card information for things like processing repeat transactions, you need to make sure these files are always encrypted. That encryption should use a robust algorithm to safeguard the information. A robust algorithm will help protect the data even if something happens, like a stolen computer or unauthorized access.
Some payment processors provide a secure information storage service. If this does not already come in your service package, you can add it to your existing service agreement. This commonly happens through a process called tokenization. Businesses get a “token” to the card number in the database. The token itself is an arbitrary number and doesn’t have to live in a secure file. When you need to process a payment, you send the service provider the token and it sends back the full card number.
3. Be Extra Careful with Recurring Billing
Running a business that receives sales from a recurring billing structure is tricky. In fact, the PCI DSS generally discourages businesses from storing this information. Therefore, it’s imperative you take extreme care when doing so. The PCI standards also control where cardholder data is transmitted and stored.
Access control, network security apartments, periodic penetration testing, and vulnerability scanning are among the requirements. Using tokens can minimize the need to store credit card information while allowing you to continue to operate the business as needed.
4. Look for Hardware Updates
All of your hardware–whether it’s a POS system or an iPhone credit card reader–should be PCI Compliant. You simply can’t assume what’s available for sale will be compliant. Unfortunately, that’s not always the case.
Using any kind of hardware with security loopholes and vulnerabilities puts your business and your customers at risk. Verify that the hardware vendors and equipment you’re interested in purchasing are PCI compliant. You can also search the PCI DSS website to find a list of approved vendors.
5. Partner with a Reputable Service Provider
You don’t have to be the one to install credit card processing software. Work with a reputable payment provider that handles this for you. They are experts in their field and have undergone rigorous testing and received approval to become experts in how to store credit card information. Providers must pass testing that an external Qualified Security Assessor performs. This individual will audit the provider’s policies, procedures, and systems to ensure it passes the established standards. A provider who passes this testing will earn the title of “PCI DSS Validated Entity.” These providers are the only ones you should consider when deciding on the right partner.