With recent data breaches that put credit card and other personal information in jeopardy, consumers are understandably concerned with how businesses handle their sensitive data. Here are six best practices that your business can follow to properly handle customer credit card information.
1. Understand your obligation
As a business owner, if you have a merchant account for processing credit card transactions, you are contractually obligated to safeguard your customers’ credit card information.
That’s right, if you look at the fine print of the contract you signed, it likely states that your business must be “PCI Compliant”. A key part of PCI Compliance is safeguarding account information, including how you store the information as well as the equipment and service providers you use.
When you use a third-party software (like PaySimple) to process payments, the product should safeguard all of customers’ credit card information.
2. Use only approved equipment and software
Whether you use a terminal for Point of Sale transactions or a swiper attached to a computer or mobile phone running payment processing software, you need to be certain that all of your hardware and software is PCI Compliant. Unfortunately, not all equipment that’s available for sale is okay to use. There are many applications and card readers that have security holes and vulnerabilities that make them less than ideal. Reputable hardware and software vendors undergo rigorous testing to ensure the integrity of their products. To protect your customers and your business, be sure to use only tested and approved solutions. You can find lists of approved providers on the PCI DSS website, which are searchable by company name or product name:
3. Use only approved service providers
If you don’t want to install and run credit card processing software yourself, you can use a service provider to manage credit card processing and credit card account storage for you. Service providers include web-based SaaS (Software as a Service) providers, IVR phone services, and even companies to which you outsource all payment processing functions. These service providers must undergo extensive testing to make sure that the trust you place in them is deserved. The testing is done by an external QSA (Qualified Security Assessor) who performs a comprehensive audit of the company’s policies, procedures and systems. If a company passes, it is designated a “PCI DSS Validated Entity.” As part of your PCI compliance, you are required to use only PCI DSS Validated service providers.
4. Never store electronic track data or the card security number in any form
While you may have a business reason for storing credit card information, processing regulations specifically forbid the storage of a card’s security code or any “track data” contained in the magnetic strip on the back of a credit card.
The card security number, called by many acronyms including CVV2, CID, and CSC, is the three digit number on the back of Visa/MasterCard/Discover cards, or the 4 digit number on the front of American Express cards. It is designed to provide a way for merchants to know whether a customer authorizing a transaction over the phone or via the Internet actually has the card in their possession. This approach only works if the security code is never stored with the card number. Electronic storage makes this easy. You simply do not create a field for the security code. For paper storage, you need to redact (cross out with a dark pen to make unreadable) the security code after you successfully process the transaction and before you store a paper authorization form.
The track data stored in the magnetic strip on the back of the card also contains information about the account that is not displayed on the card. This data assists with authorizing transactions and ensuring that credit cards cannot be easily counterfeited. Card readers can be made to make this track data visible, and software can be designed to store it—even without your knowledge.
Clearly you should store neither security codes nor track data purposely. But, you need to make sure you don’t store it inadvertently as well. To do this, be certain to use only approved hardware and software (see #2 above.)
5. Make sure all electronic storage of credit card account numbers is encrypted and all paper storage is secured
There are situations where you want to store credit card numbers to keep, for example, proof of written authorizations for mail-order payments or recurring payment authorizations. If you keep paper documents that contain credit card numbers, be sure that they are always locked in a secure place (such as a safe or file drawer) when not in use.
Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you need to make certain that you never store these files unencrypted. You need to make certain that any electronic storage is encrypted using a robust encryption algorithm. That way, if your computer is stolen or if someone in your office gains unauthorized access, you have some level of protection for the credit card numbers.
There are many service providers that offer secure storage—either as a standalone service or as part of a payment processing package. These services typically provide you with a “Token” for a card number they store. You can store the token in any unsecured file. When you’re ready to process a payment, you simply send the service provider the token and it retrieves the full card number for the sole purpose of processing the payment. (It’s technically more complicated than that, but you get the idea.) Just be certain to use a PCI DSS Verified provider (see #2 above) if you decide to go this route.
6. Make sure any phone recordings that contain credit card account numbers are encrypted
Many businesses that take telephone orders record calls to both monitor service quality and to keep proof of payment authorizations. If you do this, you are actually creating a database of credit card numbers (and often security code numbers) that is vulnerable to theft and misuse. If you store them digitally, as many VOIP Systems do, you need to encrypt them immediately (or as soon as practical), and store them in a limited access password-protected directory. You also need to ensure that there is no software attached to the storage system that will enable text-to-speech conversion that will make large numbers of credit card numbers vulnerable to someone who accesses the system.
Simply following these six best practices will go a long way towards meeting your contractual requirements to safeguard credit card account information and to be PCI Compliant. But that’s not the only reason to do it– protecting your customers’ credit card information shows that you have their best interests at heart, which is just good business.
PaySimple is an all-in-one payment, invoicing, and customer management solution for small and medium businesses.
Visit PaySimple.com to learn more or start exploring now with a free trial: