How to Store Credit Card Information Safely

Processing card payments is a great responsibility for businesses, especially when it comes to the transmission and storage of confidential information. Even with the modern security measures, in the first half of 2021 alone, there were 1,767 publicly reported breaches that exposed 18.8 billion records.

But how not to become one of the victims of fraudulent activity and protect the clients’ payment data effectively? This practical guide has all the expert advice on storing credit card information that a merchant needs.

Why Is Secured Credit Card Storage Obligatory for a Business?

No matter on what scale your company operates, it is essential that it complies with the Payment Card Industry Data Security Standard. According to it, every merchant dealing with credit and debit card processing must take measures to safeguard the consumers’ vulnerable information and prevent system breaches. If you want to learn more about these guidelines, check out our detailed article about PCI DSS.

Here, we will focus on what the failure to follow the secure data storage protocol may result in. The severe negative consequences include:

• Reputational damage and decreased customer loyalty
• Fines ranging from $5,000 to $100,000 per month
• Increased transaction fees
• Loss of a merchant account
• Legal costs

As you can see, non-compliance with the PCI requirements is enough for a business to lose its client base and go bankrupt. Read ahead for valuable insights on how to avoid violating the storing customer credit card information law and minimize data fraud risks.

What Card Information Can Be Collected and Stored?

Having a clear understanding of what payment information is allowed to be stored is of utmost importance for PCI DSS compliance. Certified PSPs and payment gateways have the legal right to keep such encrypted payment details as:

• Cardholder name
• Primary Account Number (PAN)
• Credit card expiration date
• Service code

However, you cannot save sensitive authentication data even if it is encrypted, namely:

• Full magnetic stripe code
• PIN and PIN block
• CVV/CVC

Now that you are aware of the types of cardholder details allowed for storage let’s take a look at the undesirable ways of collecting credit card information online.

Top-3 Mistakes in Credit Card Information Storage

Here are some examples of practices that undermine data storage security:

1. No PAN Encryption

Storing credit card information in database entries is often associated with high vulnerability towards breaches. Notably, according to PANscan 2021, 74% of merchants do not encrypt credit card numbers. Such businesses often use systems that are not capable of handling payment information securely, such as:

• Spreadsheets (Google Sheets and Excel)
• File hosting services (Google Drive and Dropbox)
• CRM systems

Not only is it a blatant violation of the PCI DSS standard, but also a critical oversight that can result in an impactful data breach.

2. Giving Employees Excessive Access

Approximately 75% of breaches happen due to privilege misuse. This typically occurs when employees receive more data access than their job functions require. Nevertheless, statistically, less than half of businesses have a password vault, and only 21% of companies implement multi-factor authentication for privileged access.

3. Paper Format

As outdated as it might seem, some merchants still list clients’ payment information on paper. No matter if the records are kept in organized files, it is one of the riskiest methods of storing credit card numbers vulnerable to both internal and external fraudulent activities.

PCI-Compliant Approaches to Storing Credit Card Details

It is strongly recommended that cardholder data storage is limited to what a merchant needs to meet legal, regulatory, or business needs. Below, you will find the most trusted PCI-compliant practices to collect credit card information online and store it safely:

• One-way hashing. This is an irreversible technique that is perfect for cases where there is no need to retrieve the original card number. The algorithm displays only index data that refers to database entries where confidential information is actually located.
• Strong cryptography. This solution utilizes industry-accepted encryption protocols to transform payment details into an unreadable form.
• Truncation. This method entails removing most of the PAN, with no more than the first six and last four digits shown.
• Index tokens and pads. It is an approach that uses an encryption algorithm that conceals the original digits using a random key or “pad”.

However, on-site information storage is a complex solution that requires a lot of knowledge and effort from the merchant’s side. That is why business owners often choose to outsource data storage services.

Off-Site Storage

One of the preferred ways to keep the payment details protected is by collaborating with a third party that specializes in it, like a PCI DSS-certified PSP or payment gateway. Such organizations will place vulnerable information on secure servers. This alleviates the burden of PCI compliance to a certain degree by taking care of the most challenging aspects of the regulations.

Additional Tips on How to Collect Credit Card Information Online

Knowing and applying what the storing credit card information law requires is already a huge step towards securing the card payment details. However, there are some more important factors to keep in mind:

• Be careful when accessing systems remotely. It is best to reduce the frequency of system authorization conducted outside the office, as remote access often exposes sensitive information to a higher risk of hacking attacks. If it is not possible to limit such logins, additional security can be achieved by using multi-factor authentication and providing every user with unique credentials instead of universal ones.
• Don’t disregard the phone line. If you process card payments via phone, ensure that you use a secure line and keep the records in a vault. Utilizing a local line or personal cell phone for orders compromises data security drastically.
• Ensure regular updates. PCI regulations require merchants to keep corporate hardware and software up to date. It is a good practice to set up notifications for updates from vendors not to miss out on the release of new patches.

Besides, remember to stay updated on the upcoming PCI DSS v4.0 and stay compliant with the new regulations. Following all the advice mentioned above will keep your clients’ card information at minimal risk of breach.