Safely storing payment details remains a significant challenge for online businesses. Currently, data fraud makes up 35% of identity theft cases, and the amount of data breaches is continuously growing. Data breaches are expensive and time-consuming to deal with and can be reputationally damaging for companies. Businesses that fail to keep credit card information safe risk losing their customers’ trust, getting fined anywhere between $5 thousand and $100 thousand a month, losing their merchant account, and other legal penalties. Therefore, limiting access and regularly deleting stored card data is vital to eliminate being a target for cybercriminals. It is essential to show your customers that you have their best interest at heart, which will help you grow a loyal customer base and a good reputation. There are several nuances to storing credit card data, things you can and cannot record, and specific ways of doing it. We will share some advice for managing and storing credit card data safely.
Best Practices for Safely Storing Customer Payment Data
Merchants need to understand their responsibility of safeguarding their customers’ credit card information. Businesses with merchant accounts for processing transactions have a contractual obligation to keep customer payment data secure. The contract merchants sign to open a merchant account states that their business must be PCI compliant, a key component of which is keeping account information safe. The way merchants store their customers’ data, the equipment and services used to process payments, and who has access to this database impact how well credit card information is protected.
1. Use PCI Compliant Hardware and Software
Not all the hardware and software you find on the market is safe to use; some products have security holes leading to data breaches. Make sure to follow PCI compliance when selecting the services and applications you will use to store sensitive information. Stray away from storing unencrypted and unprotected data on a local computer or CRM, as that is a breach of PCI compliance and can have catastrophic results. From terminals for Point-of-Sale transactions to swipers attached to phones running payment processing software, everything you use must follow the same guidelines listed in your contract. Additionally, your business or the third-party service you use needs to have systematic routine hardware and software checks and regular security updates. Credit card information security is a battle between hackers and security software based on who can advance their technology first to outdo the other. Reputable companies providing payment processing and security services undergo rigorous testing to ensure the integrity of their products. To comply with PCI standards, exclusively use tested and approved technology with strict security measures and data encryption.
2. Use PCI Approved Service Providers
You can choose to outsource credit card data to a third-party service fully dedicated to keeping payment data safe. Using a service provider will alleviate the burden of secure data storage and narrow down your compliance scope. Third-party providers will take care of encryption, tokenization, and PCI compliance with their ready-to-use systems. You can use web-based Software-as-a-Service (SaaS) providers, IVR phone services, or payment processing platforms to manage credit card storage and processing for you. Such providers are routinely tested by external QSAs, who perform a comprehensive audit of policies, procedures, and systems to ensure PCI compliance. As a PCI-compliant business, you can only use providers who have been PCI validated.
3. Only Store Data When Necessary
Storing credit card information is only necessary when a business supports recurring billing or if customers make frequent purchases. In many cases, with one-time purchases, it is more practical to delete their data rather than holding on to it and increasing the risk of a data breach. You should figure out if storing credit card data is beneficial for your business and only store payment data for legitimate, regulatory, or business reasons. If the risk outweighs the benefit of data storage, you are better off discarding the information.
4. Always Encrypt and Secure Payment Information and Phone Recordings
If you need to store credit card data, for cases like proof of written authorizations for mail-order payments or recurring billing – you need to ensure its safety. Familiarize yourself with PCI requirements for either physical or electronic credit card data storage. If you store information on paper, it is crucial to restrict physical access to the documents because data breaches from within the company are more common than you would think. For electronic data storage, always encrypt the information using a robust algorithm to create an extra level of protection if someone gains access to the database. You can also take advantage of data protection services, which can be standalone products or part of a complete payment processing package. One of the tools provided by third-party providers is tokenization, a form of encryption that turns information into opaque tokens. Tokens are useless without access to the vault that stores the database, meaning they can be kept in any unsecured file. If your data is well-encrypted, you can store the cardholder’s name, card number, and expiration date.
Businesses record calls to monitor the quality of service and keep proof of payment authorizations. When processing payments over the phone, you create a database of credit card numbers and security codes, which are vulnerable to theft. Digital storage of such information requires immediate encryption and a limited access password-protected directory.
5. Securely Collecting Credit Card Details
When capturing credit card numbers online, you should always use an official payment gateway. Never use regular text fields for sensitive information as they are more susceptible to outside threats.
Taking card details remotely also poses a threat to the security of the payment data because home or free access networks are much less secure, which is why you should avoid it. If processing a single payment remotely on a manual machine, you should directly plug in the card details without writing them down anywhere.
6. Never Store Security Codes or Electronic Track Data
With proper data encryption, you can store the information provided on the front of the credit card. However, processing regulations prohibit the storage of security codes or track data contained in the magnetic strips of credit cards. Security codes are used for authorizing transactions, which works only if the code is not saved in the database. In the case of physical storage of credit card information on paper, you need to redact the security code once you process the transaction and before you store the file. Track data is the account information not displayed on the card, which assists in authorizing transactions and preventing fraud. There are card readers on the market that can make this data visible and software that can store it without your knowledge, making it crucial to exclusively use hardware and software that has been tested and approved.
Secure credit card storage is a hefty investment, especially for startups. However, data security is not something you should skimp on. Cutting corners with the safety of your customers’ payment information can cost you more in the long run. The fines, ruined customer relationships, and legal penalties resulting from PCI compliance violations will jeopardize your business, and you can even lose your merchant account. It is more convenient to use a third-party gateway system, which reduces development costs and lets you start processing payments within a few hours or days. Following our advice and using the right tools, you can safely store your customers’ credit card information and meet your contractual obligations.