Looking for a small-business solution to storing customer card details? Your merchant processor may offer a service that fits your security and budget needs.
Dear Your Business Credit:
I need to store credit card details. We’re a small business and we currently use a service which only allows one single view of card details before removing the CVC. Due to the nature of the business, we are required to view details more than once, so we need to keep the details somewhere else. Do you have any resources? Thanks. – Robbie
It’s great to see that you’re taking steps to protect your customers’ credit card data. Breaches and hacks this past year involving SolarWinds, Nintendo and the U.S. Small Business Administration are good reminders of just how vulnerable our data can be.
Many small business owners don’t realize they are storing customers’ data insecurely. SecurityMetrics’ 2020 PANScan study showed that 88% of businesses had unencrypted primary account numbers stored on their networks. There are many reasons for this: Employees may not know the business’s card data storage policies, payment applications may be misconfigured or payment processing applications that were recently purchased may have old data stored on them.
If you’re concerned that your business is not storing customers’ data safely, you can find out using one of the approved vulnerability scanning vendors that the PCI Security Standards Council has identified.
To avoid a breach, try to reduce the data that you store overall. The PCI Security Standards Council recommends that small merchants offering curbside pickup take orders by phone and enter them directly into a secure terminal. It also recommends that merchants never store sensitive cardholder data on computers or on paper.
But in your industry, you do need to store some data somewhere. Fortunately, you don’t need to hunt very far for a solution. It sounds as if you are using a private service of some sort to store the data. If that’s the case, before looking for another outside service, I’d inquire with your merchant processor.
Many of those companies offer their own solutions to store customers’ card data. The advantage of going this route is you know the solution will be one that works well with your merchant processing system.
Even if you go this route, don’t assume it is secure. Ask if your payment terminal encryption is done via a point-to-point encryption solution. The solution your provider uses should be on the PCI SSC’s list of validated products and solutions.
Industry requirements for storing customer data
A little background: Every major card brand requires merchants who need to store customers’ card numbers to follow the Payment Card Industry’s Data Security Standard (PCI DDS). This is a framework developed by the PCI Security Standards Council that is responsible for establishing a minimum set of requirements for protecting cardholder data. You can see the complete list of standards here.
Under PCI DSS, you must protect cardholder data at rest and encrypt it in transit. You must make the account number unreadable through encryption, tokenization, truncation, masking and hashing. You’ll also need to secure the cryptographic keys you use to do this. You must document the security policies and operational procedure you use for protecting stored cardholder data.
The only allowable way to store this data is on PIN devices and payment applications certified by the Payment Card Industry Security Standards Council. This guide provides a clear overview of the requirements, including information on how to handle data from chip cards.
You don’t have to tackle data storage on your own. Many merchant processors offer services that rely on encryption and tokenization technologies.
What if you don’t use a traditional merchant processor and rely on a service such as Square? These services also may offer their own solutions. Square, for instance, offers a service called Card on File to store card information securely. Ask whichever processes your transactions what solutions that company offers, as the payment space is changing rapidly.
To be sure, all of these services will cost you some extra cash. But consider it money well spent. Data security is an area in which the potential consequences are too high. You may be tempted to create a workaround to avoid the setup time, but this is a case in which a do-it-yourself approach can hurt you.
Merchants can face steep fines for storing customers’ data insecurely. And it gets worse. If you were to experience a data breach and word spread to your customers, they might not entrust you with their credit card data again.
Become familiar with security data requirements
If you cannot find a solution you like and find there are situations in which you can’t work efficiently without keeping a hard copy of customers’ credit card data on file, then make sure you are familiar with the PCI Security Standards Council’s requirements to restrict physical access to the data.
The steps are not simple and require some prep work. It would likely be difficult in a small business, so I recommend doing all you can to find a technological solution. It’ll save you hassles in the long run.