Securely storing customer card data
Ask a question.
Dear Your Business Credit,
I work in a small business. We use credit cards to process deposits, and we record on a registration card the customers’ credit card number and ask for the name on the credit card.
My question is do we need to record the exact name on the card or is the customer's name sufficient? We only enter the credit card number in our credit card processing machine. I have co-workers who insist on getting the exact name on the card since they believe the credit cards cannot be legally processed without that information. We also use another customer system where we use credit card numbers and customer names but in that system we do not insist on the exact name on the card.
I do not think that the average customer would be aware of guidelines regarding this use. I have not been able to find any additional useful information on the internet regarding this. Any feedback would be appreciated. Thank you. – Kristina
Before I address your question, I strongly urge you to get some help from your merchant processor in storing your customers’ credit card numbers securely. Writing down customers’ credit card numbers on a registration card is not a secure practice. A rogue employee or vendor who enters the building after hours or burglar could potentially steal the information and use it to make fraudulent charges.
Beyond that, storing customers’ card data insecurely could land you in a lot of hot water in the form of steep fines and the potential loss of your merchant account. The average cost of a data breach for a small firm is $36,000 when fines, liabilities and other costs are considered, according to First Data.
All of the major card brands require merchants with a legitimate business reason to store customers’ card numbers to follow what is known as the Payment Card Industry’s Data Security Standard. PCI DSS, as it is known, says the only permissible way to store this data is on PIN devices and payment applications certified by the Payment Card Industry Security Standards Council.
Fortunately, it is not hard to store customers’ data securely. Merchant processors offer a variety of encryption and tokenization technologies. For more detailed information, see the Guide to Safe Payments published by the Payment Card Industry Small Merchant Task Force. Getting set up may be a bit time consuming at first, but this is one thing you don’t want to put off.
And now for an answer to your question: To process a customer’s credit card on file, “you do not need the exact name,” according to Jennifer Glass, chief executive officer of Credit Cards New Jersey., a sales organization in Tenafly, New Jersey, that helps merchants find payment solutions.
However, I would suggest that you ask for the name that appears on the card so you will have as much information as possible in the event of a chargeback. As a best practice, Visa’s guidelines for merchants recommend that in card-not-present transactions that merchants do ask the name of the customer as it appears on the card. Once you’re set up with the right PCI compliant security system in place, keeping information like this in your records should not be a problem.
Meet CreditCards.com's reader Q&A experts
Does a personal finance problem have you worried? Monday through Saturday, CreditCards.com's Q&A experts answer questions from readers. Ask a question, or click on any expert to see their previous answers.
- How to handle an employee misusing a business credit card – If you're a business and issuing employees cards, make sure you have the right system in place to avoid inappropriate charges ...
- I used the company credit card for a personal purchase – What to do if you use your corporate credit card for a personal expense ...
- How long can a payment processor hold funds from my business? – If payment processors are holding on to funds to investigate transactions, there are some best practices to make the system smoother ...