How small businesses can safely store card details
Ask your merchant processor first; don't risk a do-it-yourself solution with this
Ask a question.
Dear Your Business Credit,
I need to store credit card details. We’re a small business and we currently use a service which only allows one single view of card details before removing the CVC.
Due to the nature of the business, we are required to view details more than once, so we need to keep the details somewhere else.
Do you have any resources? Thanks. – Robbie
It’s great to see that you’re taking steps to protect your customers’ credit card data. The Equifax data breach is a good reminder for all of us of how vulnerable data can be.
You don’t need to hunt very far or a solution. It sounds as if you are using a private service of some sort to store the data. If that’s the case, before looking for another outside service, I’d inquire with your merchant processor.
Many of those companies offer their own solutions to store customers’ card data. The advantage of going this route is you know the solution will be one that works well with your merchant processing system.
Industry requirements for storing customer data
A little background: Every major card brand requires merchants who need to store customers’ card numbers to follow the Payment Card Industry’s Data Security Standard. This is a framework developed by the PCI Security Standards Council that is responsible for establishing a minimum set of requirements for protecting cardholder data.
Under PCI DSS, the only allowable way to store this data is on PIN devices and payment applications certified by the Payment Card Industry Security Standards Council.
You don’t have to figure this out on your own. Many merchant processors offer services that rely on encryption and tokenization technologies.
What if you don’t use a traditional merchant processor and rely on a service such as Square? These services also may offer their own solutions. Square, for instance, offers a service called “Card on File.” PayPal allows customers to store customers’ card data in its “Vault.” I’d ask whichever processes your transactions what solutions that company offers.
To be sure, all of these services will cost you some extra cash. Consider it money well spent. Data security is an area in which the potential consequences are too high.
You may be tempted to create a workaround to avoid the setup time, but this is a case in which a do-it-yourself approach can hurt you.
As I mentioned in an earlier column on how to securely store customer card data, merchants can face steep fines for storing customers’ data insecurely. It gets worse. If you were to experience a data breach and word spread to your customers, they might not entrust you with their credit card data again.
Become familiar with security data requirements
If you cannot find a solution you like and find there are situations in which you can’t work efficiently without keeping a hard copy of customers’ credit card data on file, then make sure you are familiar with the PCI Security Standards Council’s requirements to restrict physical access to the data. (See Page 19.)
The steps are not simple and require some prep work.
For example, one is to “ensure that all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not on-site personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.”
Taking such steps would likely be difficult in a small business, so I recommend doing all you can to find a technological solution. It’ll save you hassles in the long run.
Meet CreditCards.com's reader Q&A experts
Does a personal finance problem have you worried? Monday through Saturday, CreditCards.com's Q&A experts answer questions from readers. Ask a question, or click on any expert to see their previous answers.
- Can a business offer discounts to customers who pay with cash? – A few states still ban credit card surcharges, but discounts for paying with cash are allowed under federal law. Here's what you need to know ...
- How businesses can enter sales, calculate liability from gift cards – Calculating a business's costs and potential liability from selling gift cards is complicated, but there are written rules about it. Here's what you need to know ...
- Still using authorized-user card after primary holder died? What to do – If the primary holder of a credit card on which you're an authorized user dies, you can't continue to use the card as it is illegal. If you have, these are your options ...