Consumers trust you with their sensitive data, including credit card information. Data breaches still happen, but there are ways to ensure you are doing your best to keep personal information secure. Here are six best practices that your business can follow to properly handle customer credit card information.
1. Understand your obligation to protect information
If you have a merchant account for processing credit card transactions, you are contractually obligated to protect your customers’ credit card information.
If you look at the fine print of the contract you signed, it likely states that your business must be “PCI Compliant”. A key part of PCI Compliance is safeguarding account information, including how you store the information as well as the equipment and service providers you use.
When you use a third-party software (like PaySimple) to process payments, the product should protect all of customers’ credit card information.
2. Use only approved equipment and software
Whether you use a terminal for Point of Sale transactions or a swiper attached to a computer or mobile phone running payment processing software, you need to be certain that all of your hardware and software is PCI Compliant. Unfortunately, not all equipment that’s available for sale is okay to use. There are many applications and card readers that have security holes and vulnerabilities that make them less than ideal.
Ask about EMV credit card readers. EMV card readers help prevent fraud and have been much more trusted than the old magnetic swipe technology.
Reputable hardware and software vendors undergo rigorous testing to ensure the integrity of their products. To protect your customers and your business, be sure to use only tested and approved solutions. You can find lists of approved providers on the PCI DSS website, which are searchable by company name or product name:
3. Use only approved service providers
If you don’t want to install and run credit card processing software yourself, you can use a service provider to manage credit card processing and credit card account storage for you. Service providers include web-based SaaS (Software as a Service) providers, IVR phone services, and even companies to which you outsource all payment processing functions.
These service providers undergo extensive testing done by an external Qualified Security Assessor, who performs a comprehensive audit of the company’s policies, procedures and systems. If the company passes, it is designated a “PCI DSS Validated Entity.” As part of your PCI compliance, you are required to use only PCI DSS Validated service providers.
4. Never store electronic track data or the card security number
While you may have a business reason for storing credit card information, processing regulations specifically forbid the storage of a card’s security code or any “track data” contained in the magnetic strip on the back of a credit card.
The card security number, called by many acronyms including CVV2, CID, and CSC, is the three digit number on the back of Visa/MasterCard/Discover cards, or the 4 digit number on the front of American Express cards. It is designed to provide a way for merchants to know whether a customer authorizing a transaction over the phone or via the Internet actually has the card. This approach only works if the security code is never stored with the card number. Electronic storage makes this easy. You just do not create a field for the security code. For paper storage, you need to redact the security code after you successfully process the transaction and before you store a paper authorization form.
The data stored in the magnetic strip on the back of the card contains information about the account that is not displayed on the card. This data assists with authorizing transactions and ensuring that credit cards cannot be easily counterfeited. Card readers can be made to make this data visible, and software can be designed to store it—without your knowledge.
You should never store security codes or track data purposely. But, you need to make sure you don’t store it inadvertently as well. To do this, be certain to use only approved hardware and software (see #2 above.)
5. Encrypt and secure electronic credit card account numbers and paper storage
There are situations where you want to store credit card numbers to keep, for example, proof of written authorizations for mail-order payments or recurring payment authorizations. Keep paper documents with credit card numbers locked in a secure place (like a safe) when not in use.
Electronic storage of credit card numbers is also common if, for example, you process recurring or repeat transactions. If you do this, you cannot store these files unencrypted. Make certain any electronic storage is encrypted using a robust, encryption algorithm. This provides some level of protection if there is theft or unauthorized access.
There are many service providers that offer secure storage—either as a standalone service or as part of a payment processing package. These services typically provide you with a “token” for a card number they store. You can store the token in any unsecured file. When you’re ready to process a payment, you send the service provider the token and it retrieves the full card number for the sole purpose of processing the payment. Use a PCI DSS Verified provider (see #2 above) if you go this route.
6. Encrypt phone recordings that contain credit card account numbers
Many businesses that take telephone orders record calls to both monitor service quality and to keep proof of payment authorizations. If you do this, you are creating a database of credit card numbers (and often security code numbers) that is vulnerable to theft. If you store them digitally, you need to encrypt them as soon as possible and store them in a limited access password-protected directory. Make sure there is no software attached to the storage system that enables text-to-speech conversion. It would make those credit card numbers vulnerable to anyone accessing the system.
Following these best practices will go a long way towards meeting your requirements to safeguard credit card account information and to be PCI Compliant. But that’s not the only reason to do it. Protecting your customers’ credit card information shows that you have their best interests at heart, which is just good business.
PaySimple is an all-in-one payment, invoicing, and customer management solution for small and medium businesses.
Visit PaySimple.com to learn more or start exploring now with a free trial: