How small businesses can safely store card details

Ask your merchant processor first; don't risk a do-it-yourself solution with this

Your Business Credit columnist Elaine Pofeldt
Elaine Pofeldt is a journalist whose articles on entrepreneurship and careers have appeared in Fortune, Working Mother, Money and many other publications. She is a former senior editor at Fortune Small Business magazine and an entrepreneur herself, as co-founder of 200kfreelancer.com, a website for independent professionals. She writes "Your Business Credit," a weekly column about small business and credit, for CreditCards.com.

Ask a question.

Question Dear Your Business Credit,
I need to store credit card details. We’re a small business and we currently use a service which only allows one single view of card details before removing the CVC.

Due to the nature of the business, we are required to view details more than once, so we need to keep the details somewhere else.

Do you have any resources? Thanks. – Robbie

Answer Dear Robbie,
It’s great to see that you’re taking steps to protect your customers’ credit card data. The Equifax data breach is a good reminder for all of us of how vulnerable data can be.

You don’t need to hunt very far or a solution. It sounds as if you are using a private service of some sort to store the data. If that’s the case, before looking for another outside service, I’d inquire with your merchant processor.

Many of those companies offer their own solutions to store customers’ card data. The advantage of going this route is you know the solution will be one that works well with your merchant processing system.

Industry requirements for storing customer data

A little background: Every major card brand requires merchants who need to store customers’ card numbers to follow the Payment Card Industry’s Data Security Standard. This is a framework developed by the PCI Security Standards Council that is responsible for establishing a minimum set of requirements for protecting cardholder data.

Under PCI DSS, the only allowable way to store this data is on PIN devices and payment applications certified by the Payment Card Industry Security Standards Council.

You don’t have to figure this out on your own. Many merchant processors offer services that rely on encryption and tokenization technologies.

What if you don’t use a traditional merchant processor and rely on a service such as Square? These services also may offer their own solutions. Square, for instance, offers a service called “Card on File.” PayPal allows customers to store customers’ card data in its “Vault.” I’d ask whichever processes your transactions what solutions that company offers.

To be sure, all of these services will cost you some extra cash. Consider it money well spent. Data security is an area in which the potential consequences are too high.

You may be tempted to create a workaround to avoid the setup time, but this is a case in which a do-it-yourself approach can hurt you.

As I mentioned in an earlier column on how to securely store customer card data, merchants can face steep fines for storing customers’ data insecurely. It gets worse. If you were to experience a data breach and word spread to your customers, they might not entrust you with their credit card data again.

Become familiar with security data requirements

If you cannot find a solution you like and find there are situations in which you can’t work efficiently without keeping a hard copy of customers’ credit card data on file, then make sure you are familiar with the PCI Security Standards Council’s requirements to restrict physical access to the data. (See Page 19.)

The steps are not simple and require some prep work.

For example, one is to “ensure that all visitors are authorized before entering areas where cardholder data is processed or maintained; given a physical token that expires and that identifies visitors as not on-site personnel; and are asked to surrender the physical token before leaving the facility or at the date of expiration.”

Taking such steps would likely be difficult in a small business, so I recommend doing all you can to find a technological solution. It’ll save you hassles in the long run.

See related: Securely storing customer card data, How to qualify for credit as a small-business owner?

Meet CreditCards.com's reader Q&A experts

Does a personal finance problem have you worried? Monday through Saturday, CreditCards.com's Q&A experts answer questions from readers. Ask a question, or click on any expert to see their previous answers.





Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 11-24-2017