As a merchant, customers place a lot of trust in you when they make a card payment. Whether processing transactions online or over the phone, you have a legal obligation to securely handle and store customer credit card information to prevent a data breach and minimise the risk of fraud.
In this guide, we’ll look at how to store credit card information safely and securely, as well as addressing some of the potential risks of doing so, and how to mitigate them.
Can you store credit card information?
As long as there is a legitimate business reason to do so, and all regulatory and compliance requirements are adhered to, merchants are legally allowed to store the following credit card information:
- Cardholder name
- Primary account number (This is the long card number)
- Expiration date
- Service code
Businesses holding this type of information must follow all security requirements, comply with PCI DSS compliance, and ensure that data is encrypted.
What credit card information cannot be stored?
To protect users from fraud, Sensitive Authentication Data (SAD) cannot be stored, even if it’s encrypted. This data is extremely valuable to hackers for both card-present and card-not-present transactions, and includes:
- PIN (even if encrypted)
- CVV/CVC security code
- Full magnetic stripe data or equivalent EMV chip data
What are the risks of storing credit card information?
To be able to securely store credit card information, you need to understand the potential risks of holding this type of information, and how they can affect your business and its customers.
Some of the key risks associated with storing credit card information in databases include:
Malware and hacking
Hackers target a wide variety of organisations and types of data, but cardholder details are particularly susceptible to attacks because they offer a lot of value. Phishing emails with malware links or files corrupted with a virus are just some of the ways that hackers are able to gain access to databases where customer card information is stored.
Theft of backup files
Backing up files is good practice, but when it comes to storing card information, you need to be extremely careful. If hackers aren’t able to break into your database, they may be able to access your backups instead.
Data theft by employees
Current or former employees may be able to abuse their privilege to access sensitive data and steal credit card information. This could be for their own personal use, or to sell to a third party.
How to safely store credit card information
Failing to securely store your customers’ credit card information could have serious negative impacts on your business. In the worst-case scenario, hackers could access payment data and steal money from your customers, which could severely damage your reputation as well as the financial impact on your customers. Even if no data is stolen, if you’re found to be in breach of PCI standards, you could be subject to a fine.
Here are some tips on how to securely store customer credit card information
Make sure you comply with PCI standards
Having a basic understanding of PCI standards is important for all businesses, but often isn’t enough to ensure compliance. Each organisation is different, and it’s their own responsibility to make sure they understand how PCI applies to them, and to take measures to meet their legal obligations.
The PCI Security Standards Council is the best place to go for the most up-to-date information about PCI standards. They also offer training and qualification programs to help businesses better understand their responsibilities, and how to ensure that they are PCI compliant.
Use a secure payment gateway
No matter how the transaction is carried out, card details should never be written down when taking a payment. Using a secure payment gateway or virtual terminal allows businesses to enter payment details securely, completing the transaction without actually storing any of the sensitive information.
Use a PCI-compliant card data storage system
Use a PCI-compliant system for credit card information rather than storing it within your existing CRM solution. As well as improving compliance, this gives you greater control over access, and keeps sensitive information siloed and safer from attack. Always stay on top of software updates to ensure that you’re using the most recent version and benefiting from updates to patch cybersecurity risks.
If you back up your card information, make sure to store them on secure servers and databases, and ensure that files are fully encrypted. That way, if they do get stolen, the data won’t be readable.
Restrict employee access
Make sure that only employees who have a legitimate business need can access credit card information, even if it’s encrypted. Update user permissions within your storage systems to prevent unauthorised users from accessing data, and remember to revoke access when employees leave the organisation.
You should also provide regular cyber security and PCI compliance training to ensure that employees understand and adhere to best practices, and the consequences of failing to do so.
Don’t store anything you don’t need to
If you really want to avoid the risks associated with storing customer credit card information, you could always choose not to store it at all. While it offers benefits to your customers, including a more streamlined checkout process, you’re not obliged to store any personal information. Remember that you must never store Sensitive Authentication Data (SAD) such as the PIN, CVV or full magnetic stripe data.
Outsource your checkout
You might choose to use a third-party checkout service such as PayPal or Shopify, who will complete the transactions on your behalf, and deal with the necessary compliance so you don’t have to. If you do opt for this route, make sure the provider you choose is PCI compliant, and that you regularly audit any third parties to ensure that your partnership with them remains in the best interests of your business and its customers.